Summary
The UK’s Supreme Court has handed down its much-anticipated and long-awaited decision in the case Lloyd v Google [2021] UKSC 50. In doing so, the court has rejected the claims asserted by Mr. Lloyd against Google and has disappointed those who wished to be able to bring class actions more easily for breach of data protection law. The wider public justification for such claims was perceived to have arisen due to the lack of regulator resources to enforce data protection law vigorously enough.
In essence, the claim failed, not because there were no breaches but because the attempt to shoehorn the claims into a form of action which is currently permitted by the court rules was rejected. The problem with bringing such claims using existing processes has been that the economic value of each individual claims is unlikely to be high enough to make them worthwhile litigating over. The court ruled that in order to bring such claims it is necessary to adduce evidence of the wrongful use of the personal data in question and of the damage caused by it for each claimant; this is likely to render bringing many such claims uneconomical. Proof of loss of control over any given individual’s data was not enough by itself – it was necessary to prove some non-trivial damage or distress had flowed from this loss of control.
Irrespective of the merits of bringing claims like this in order to protect the rights of individuals to their privacy, the court signalled that legislative intervention by the Government would be necessary to achieve this as the Government has done in the case of class actions brought for breach of competition law.
Although the decision related to the Data Protection Act 1998 (“DPA”) which has been repealed following the coming into force of the General Data Protection Regulation (“GDPR”) (and now, post-Brexit, the UK GDPR), this judgment looks likely to apply to the existing legislation notwithstanding that article 80 of the GDPR makes it clear that individuals can claim compensation for damage for breach of the law irrespective of whether the damage is material or non-material.
Background
This case relates to the so-called “Safari Workaround” which Google installed in around 4 million iPhones in the UK. This workaround allowed Google to bypass various protections in the Apple Safari browser, enabling Google to harvest data about the use of the internet by the owners of the phones without their consent. This data could then be used by Google to target advertising for its own gain.
Mr. Lloyd brought proceedings against Google claiming damages for breach of the DPA using the tried and tested court rules for bringing representative actions. These permit a claim to be brought by a person as a representative of others who have the “same interest” in the claim. Mr. Lloyd argued that the “same interest” requirement was satisfied by virtue of the iPhone users’ loss of control over their data as a result of Google’s processing in breach of the DPA. It was estimated that over 4 million people might fall into the class and as a result the potential damages would be significant.
As Google is a U.S. company incorporated in the State of Delaware, the claimant needed permission to serve the claim form on Google outside the UK’s jurisdiction.
The application for permission to serve out was contested by Google on the grounds that the claim had no real prospect of success for two reasons. First, damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress. Second, the claim in any event is not suitable to proceed as a representative action. In the High Court, Warby J decided both issues in Google’s favour and therefore refused permission to serve the proceedings on Google. The Court of Appeal disagreed, and Google then appealed to the Supreme Court.
Class actions and data protection claims
Class actions, in which a single person is permitted to bring a claim and obtain redress on behalf of a class of people who have been affected in a similar way by alleged wrongdoing, have long been possible in other jurisdictions including the United States, Canada and Australia, but at present there is no such regime in the United Kingdom other than the representative action route. Enacting legislation to permit such litigation has been discussed in the UK but, in 2009, the UK Government decided against introducing a generic class action regime applicable to all types of claims, preferring a “sector-based approach” and, to date, the UK has not legislated to establish a class action regime in the field of data protection.
Mr. Lloyd sought to overcome this difficulty by the use of the representative action procedure in the UK’s Civil Procedure Rules. Under these rules a claim can be brought by one or more persons as representatives of others who have the “same interest” in the claim. Mr. Lloyd accepted that he could not use this procedure to claim compensation on behalf of other iPhone users if the compensation recoverable by each user would have to be individually assessed – because they would not all have the “same interest”. However, he argued that this was not necessary because damages can be awarded under the DPA for “loss of control” of personal data without the need to prove that any financial loss or mental distress was suffered as a result of the breach.
Mr. Lloyd’s team further argued that a “uniform sum” of damages can properly be awarded in relation to each person whose data protection rights have been infringed without the need to investigate any circumstances particular to their individual case. The amount of damages recoverable per person would be a matter for argument, but a figure of £750 per person was advanced in a letter of claim. Multiplied by the number of people whom Mr. Lloyd claimed to represent, this would produce an award of damages to the order of £3 billion.
The key arguments as to whether uniform damages for loss of control can be claimed under the DPA
Mr. Lloyd’s argument was that an individual is entitled to recover compensation under section 13 of the DPA without proof of material damage or distress whenever a data controller fails to comply with its obligations under the DPA in respect of that individual’s personal data and the breach is not trivial or de minimis.
Any such breach, Mr. Lloyd claimed, involved the “loss of control” of data for which compensation is payable. The basis for this argument was that, as a matter of principle, the courts should adopt the same approach to the award of damages for breaches of data protection law as for the misuse of private information (based on the Court of Appeal decision in Gulati v MGN [2015] EWCA Civ 1291, a case relating to phone hacking by newspapers, in which the court awarded substantial damages for loss of control over the claimant’s data without any need to prove material damage or distress) because the two claims have a common source as they both seek to protect the same fundamental right to privacy (as guaranteed in English law by the Human Rights Convention). Given that the tort of misuse of private information and data protection law are both rooted in the right to privacy, it was argued that it would be wrong in principle to adopt a different approach as to the nature of the damage which can be compensated under the two regimes. Thus, a court should be entitled to award damages for interference with a person’s right to privacy, without the need to prove that the interference resulted in any material damage or distress, irrespective of the grounds on which the claim is brought.
Supreme Court decision
Unfortunately for Mr. Lloyd (and any iPhone users who might have been hoping for a £750 payday), the Supreme Court rejected this argument for two reasons. First, it said that, on its proper construction, section 13 of the DPA does not allow a court to award compensation without the need to prove material damage or distress. Second, the court said that the logic of linking the tort of misuse of private information to a breach of data protection law was in any event flawed.
In relation to the first point the court ruled that “…if the term “damage” in section 13 is to be interpreted as having an even wider meaning and as encompassing an infringement of a data subject’s rights under the Act which causes no material damage nor even distress, that could only be because this result is required by EU law. On a purely domestic interpretation of the DPA 1998, such a reading is untenable…”.
The court said that the critical question to be resolved is whether the term “damage” as used in section 13 of the DPA should be interpreted to encompass the loss of control over data per se in order to make UK law compatible with EU law (the case was brought before Brexit). To address this issue the court identified two aspects of this question. First, what does the term “damage” mean in article 23 of the Data Protection Directive, which section 13 of the DPA was intended to implement; and second, if “damage” in article 23 includes breaches of UK law adopted pursuant to the Data Protection Directive which cause no material damage or distress, is it possible to interpret the term “damage” in section 13 of the DPA as having the same meaning?
In relation to the first question, the Supreme Court said it was correctly held in the Court of Appeal decision in Vidal-Hall v Google [2015] EWCA Civ 311 that section 13 of the DPA could not be construed as providing a general right to compensation for distress suffered as a result of a breach of the DPA “without contradicting the clearly expressed intention of Parliament on an issue that was central to the scheme” of the legislation. In the view of the Supreme Court, the same was also true of the argument that section 13 of the DPA can be interpreted as providing a right to compensation for breaches of the DPA which have not caused any distress, let alone any material damage.
The court then pointed out that, if it were found that this interpretation has the result that the DPA is incompatible with the Data Protection Directive, such incompatibility could only be dealt with by amending the DPA, which is something that only Parliament is entitled to do. However, in the view of the Supreme Court, no such incompatibility existed because there is no reason to interpret the term “damage” in article 23 of the Data Protection Directive as extending beyond material damage and distress. The wording of article 23 draws the same distinction as section 13 of the DPA between the “damage” and the unlawful act which results in the damage. In consequence, the view of the Supreme Court was that EU law did not provide a basis for giving a wider meaning to the term “damage” in section 13 of the DPA than was given to that term by the Court of Appeal in the Vidal-Hall case.
In relation to the second question, the court ruled that, as a matter of principle “…the fact that the common law privacy tort and the data protection legislation have a common source in article 8 of the Convention does not justify reading across the principles governing the award of damages from one regime to the other…”. The court identified several differences between the two causes of action including that one related to private information and the other to personal data which may not be private.
Accordingly, the court concluded section 13 of the DPA cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) breach by a data controller of any of the requirements of the DPA without the need to prove that the breach has caused material damage or distress to the individual concerned.
The need to prove the breach
The court went on to explain that there was a further reason why the claim under section 13 of the DPA brought by means of a representative claim could not succeed. It said that even if it were unnecessary to prove that an individual suffered material damage or distress as a result of the unlawful processing of their personal data in order to be compensated, it would still be necessary for this purpose to establish the extent of the unlawful processing in each individual’s case. The court pointed out that in deciding what amount of damages, if any, should be awarded, it would need to consider a number of factors, including:
- Over what period of time did Google track the individual’s internet browsing history?
- What quantity of data was unlawfully processed?
- Was any of the information unlawfully processed of a sensitive or private nature?
- What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?
Can user damages be claimed instead?
The court also rejected a potential claim based on so called “user damages” – i.e. damages quantified by estimating what fee each member of the represented class could reasonably have charged – or which would reasonably have been agreed in a hypothetical negotiation – for releasing Google from the duties which it breached. It decided that although a claim for user damages might have been made as part of a claim for the misuse of private information, no such claim had been made in this case; the only claim made was under section 13 of the DPA and as a result user damages were not available. This is because the court had already decided, as explained above, that damages can only be awarded under section 13 of the DPA for material damage or distress caused by a breach of the DPA and not for the infringement itself.
Lowest common denominator damages
The court also criticised the argument that it is possible to identify an “irreducible minimum harm” suffered by every member of the representative class in respect of which a “uniform sum” of damages could be awarded – described as the “lowest common denominator” of all the individual claims.
In relation to bringing a claim based on the lowest common denominator, the court considered it possible that, as a matter of discretion, it could – if satisfied that the persons represented would not be prejudiced and with suitable arrangements in place enabling them to opt-out of the proceedings if they chose – allow a representative claim to be pursued for only a part of the compensation that could potentially be claimed by any given individual. However, it said that the fundamental problem with this approach is that, if no individual circumstances are taken into account, the facts alleged are insufficient to establish that any given individual member of the represented class is entitled to damages.
The need for individual evidence of a serious breach
In the view of the court, the generic facts alleged against Google could not establish that any given individual is entitled to compensation. To establish any such claim the court noted that it is necessary to prove, at least, that there was unlawful processing by Google of that person’s personal data. Thus, in considering whether the evidence is capable of establishing an entitlement to damages, it is necessary to identify what unlawful processing by Google of personal data is alleged to have occurred, not only in Mr. Lloyd’s own case but also in the case of each other member of the represented class. Membership of the represented class is not sufficient by itself to entitle an individual to compensation, without proof of any further facts particular to that individual.
Further, the court noted that even on Mr. Lloyd’s own case there is a threshold of seriousness which must be crossed before a breach of the DPA will give rise to an entitlement to a right to compensation under section 13 of the DPA. The court thought it unlikely that the facts would establish that this threshold was crossed in this case, considering it (possibly controversially) impossible to characterise such damage as more than trivial. The court thought that what gave the claim the appearance of substance was the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. The problem with this allegation is that the claimant was seeking to recover damages without attempting to prove that it was true in the case of any individual for whom damages are claimed.
Conclusion
The Supreme Court concluded that the claim had no real prospect of success. That is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant sought damages under section 13 of the DPA for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of the breach by Google.
Comments
This decision had been eagerly awaited as its outcome was expected to have an impact on a number of other cases relating to breaches of data protection law, many funded by litigation funding arrangements. In the light of this judgment, the manner in which these claims may be brought will need careful consideration and it may be that a number of them will prove to be uneconomical to bring or will need to be restructured if there is a requirement to prove individual loss or distress.
For instance, the court did suggest that claims such as this could be brought using a “bifurcated process” whereby issues common to the claims of a class of persons may be decided in a representative action which, if successful, can then form a basis for individual claims for redress. However, the court recognised that in practice such an approach may not be viable as “…success in the first, representative stage of such a process would not itself generate any financial return for the litigation funders or the persons represented. Funding the proceedings could therefore only be economic if pursuing separate damages claims on behalf of those individuals who opted into the second stage of the process would be economic…”.
Nevertheless, for some types of claim the second stage might be economic particularly if the evidence can be gathered and presented in a way which reduces the cost typically associated with the collection and presentation of evidence.
A further point to note is that this case was brought under the law preceding the GDPR. Article 80 of the GDPR makes it clear that the damage for which compensation can be claimed for breach of the regulation can be “material” or “non-material” and recital 85 refers to loss of control over data as being a potential consequence of a breach of the law. However, it may not be easy to argue that this clarification of the types of damage which can be claimed overrides the requirement identified by the Supreme Court that it is still necessary to prove the loss in question on an individual basis. In order to avoid the need to prove individual loss, it may be necessary for the Government to bring forward legislation allowing for opt-out claims for breaches of data protection law in the same way that it has done for breaches of competition law. Opt-out collective proceedings brought for breaches of competition law enables liability to be established simply by showing that loss has been suffered by the class a whole.
/Passle/62189924f636e915f48daeda/SearchServiceImages/2024-11-19-17-06-31-873-673cc5973578d9951b12b97b.jpg)
/Passle/62189924f636e915f48daeda/SearchServiceImages/2024-11-20-20-24-58-796-673e459a3d6528422d73de84.jpg)
/Passle/62189924f636e915f48daeda/SearchServiceImages/2024-11-06-15-09-47-514-672b86bb664d2f660e382534.jpg)
/Passle/62189924f636e915f48daeda/MediaLibrary/Images/2024-09-27-10-16-43-196-66f6860bca7f885a74f8ca72.jpg)
/Passle/62189924f636e915f48daeda/MediaLibrary/Images/2024-09-25-15-45-48-250-66f4302cbe096d8119c129b5.jpg)