Class Actions and Data Protection
Nicola Sharp outlines the issues at the centre of a long-running data protection case.
The Supreme Court has issued its long-awaited ruling in the Lloyd v Google case. It has overturned the Court of Appeal’s 2019 ruling and has prevented a US-style class-action lawsuit being brought in the English courts.
Richard Lloyd brought the claim, on behalf of more than four million Apple iPhone users, over Google’s alleged tracking of personal data. But the Supreme Court, in a unanimous decision, disallowed the privacy class action for compensation.
Background
The case related to Google’s use of advertising cookies to collect data on iPhone users’ internet browsing habits between 2011 and 2012. Those individuals had no knowledge of the use of the cookies. In the simplest of terms, Google subsequently sold the data collected through use of the cookies (some of which is alleged to have been sensitive in nature) to third parties for advertising purposes.
Richard Lloyd, a well-known consumer rights activist and former director of consumer group Which?, was claiming damages on behalf of all four million iPhone users whose data was obtained by Google.
The Relevant Law
The case, which was brought under the Data Protection Act 1998 (DPA), hinged on two points of English law:
- Whether individuals should be compensated for having personal data taken without consent, and
- Whether individuals could band together in a representative class-action style group to sue companies in the English High Court.
The Civil Procedure Rules in England make express provision for “opt-out” class claims to be brought only in a competition law context. As this was a privacy law matter, Lloyd’s claim sought to fashion the claim as a representative action under rule 19.6 of the Civil Procedure Rules. Rule 19.6 allows an individual to bring a claim on behalf of a wider class, where all members of that class have the “same interest” in the claim.
This requirement for all class members to have the “same interest” has, to date, been interpreted strictly by the English courts as requiring the claimants to have a common interest and grievance (which generally prevents claims relying on different fact patterns) and to all benefit from the remedy sought (which generally prevents claims for different remedies). This prompted Lloyd to disavow each class member’s individual circumstances and instead ask the court to award damages to each class member on a “lowest common denominator” basis. He contended that the lowest common denominator was the hypothetical person least affected by the breach, and that such a person - and every other class member - should receive an award in respect of their “loss of control” of their personal data. The sum of £750 per person was suggested.
As Google is a US Company, Mr Lloyd sought permission from the English court to serve Google outside the jurisdiction. Google sought to strike out the claim on the basis that it had no real prospect of success. Google was initially successful, but Mr Lloyd was successful before the Court of Appeal, which led to the case being taken to the Supreme Court.
Supreme Court Decision
The Supreme Court’s decision centred around two key issues:
- Whether the claim could be brought as a representative action and the appropriateness of doing so; and
- Whether damages could be awarded to the class under the DPA for Google’s breach of the DPA.
Appropriateness of representative action
The Supreme Court ruled that it was not appropriate for Mr. Lloyd to bring a representative action claiming damages on behalf of the four million Apple iPhone users.
The only requirement for a representative action to be brought is that the representative has the “same interest” in bringing the claim as the persons represented. The issue in Mr Lloyd’s claim, as identified by the Supreme Court was the fact that Mr Lloyd was seeking damages on behalf of the iPhone users (the members of the class) on a uniform, lowest common denominator ‘tariff’ basis (£750 per person, for loss of control of personal data). In reality, the extent of the harm suffered by the members of the class would ultimately depend on a range of factors, such as the extent of the tracking carried out by Google in relation to each user, and the sensitivity of the information obtained by Google. This would require each class member to have their claim for damages assessed on an individual basis.
The Supreme Court said it was possible for a representative action to include a claim for damages where the represented class members had all suffered the same loss. This could happen when, for example, they had all been overcharged the same sum or they had all been sold a defective product which was worth equally less in each instance. But these scenarios are somewhat exceptional. It was said that in most cases there will need to be an individualised assessment of what has happened to each class member - and that a representative action is an unsuitable vehicle for this because individual class members do not participate in the action. Accordingly, it was held that Mr Lloyd had failed to meet the “same interest” requirement under CPR 19.6.
Damages under the DPA
The second issue the Supreme Court had to consider was the damages being sought. The purpose of damages under common law is to put the individual in the same position that they would have been in if the wrong had not been committed. Similarly, section 13 of the DPA gives an individual who suffers damage “by reason of any contravention by a data controller of any of the requirements of this Act” a right to compensation from the data controller for that damage.
Mr Lloyd argued that the class members were entitled to compensation under the DPA on the basis that Google’s breach had resulted in them incurring a “loss of control” of their personal data. The Supreme Court rejected his argument on the basis that individuals must have suffered material damage (i.e., financial loss or distress) to be entitled to compensation under section 13 of the DPA. It was not possible to construe section 13 of the DPA as providing individuals with a right to obtain compensation solely on the basis of a controller’s breach of the DPA. While certain members of the class may indeed have suffered material damage as a result of Google’s breach, the way in which the claim was structured (i.e., on a lowest common denominator basis) made it impossible for damages to be awarded under it.
Conclusion
The ruling is highly significant, as it will have implications for any such cases in the future. But it may not be as restrictive as one might think.
Under a US-style representative or class action, a group of people affected by the same issue are represented by a single person and are automatically part of a lawsuit, without individually signing up, unless they opt out. The English Courts have always deterred US-style class action lawsuits, and this judgement reaffirms this stance.
However, the Supreme Court’s decision does not eliminate a class action - it still remains a viable way of claiming damages. The issue in this case was how it was brought, and its judgement was based solely on these facts.
While Mr Lloyd’s claim failed to meet the “same interest’’ test, the court highlighted other formulations which would have satisfied the CPR 19.6 requirements. In addition, the Supreme Court’s analysis relates to the position under the Data Protection Act 1998 and not the UK General Data Protection Regulation (GDPR), which was introduced in the Data Protection Act 2018. Data controllers should, therefore, be aware of potential consumer litigation relating to breaches of this.
Ultimately, the Supreme Court did not say that Google or other data controllers could not be liable for damage caused to groups of consumers. It was the way in which Mr Lloyd sought to bring this particular claim which meant that it could not work, due to a combination of the terms of the Data Protection Act 1998 and the Civil Procedure Rules.
