Lloyd v Google: A Sigh of Relief for Data Controllers
In unanimously refusing to allow a representative action to proceed, the UK Supreme Court may have sounded the death knell for opt-out class actions in England for data breaches: Lloyd v Google [2021] UKSC 50.
The Safari workaround
Back in 2011 Apple’s Safari web browser on iPhones blocked all third-party cookies. This prevented popular websites from working so Apple introduced some exceptions. Lloyd, a former executive director of the consumer group Which?, alleges that Google used these to enable its “DoubleClick Ad” cookie to be put on users’ devices without their knowledge or consent whenever the user visited a site with Google’s content: the Safari workaround. This, according to Lloyd, allowed Google to tell, among other things, the date and time of any visit, how long the user spent there, which adverts were viewed and for how long, and the approximate geographical location of the user (from the IP address). Over time, the allegation was that Google was able to build up profiles of the users who were grouped as, for example, “football lovers”, or “current affairs enthusiasts”.
Permission to serve out of the jurisdiction
Lloyd was trying to bring a representative action on behalf of more than four million iPhone users in England, for claimed breaches of data protection legislation arising from the use of the Safari workaround, specifically section 13 of the Data Protection Act 1998 (being a pre-GDPR cause of action). To serve a claim form on Google in the U.S., Lloyd needed to show that the claim had a reasonable prospect of success.
Representative action – a form of opt-out class action?
Lloyd was trying to use a longstanding procedural mechanism to fashion an opt-out class action for the claim. Outside of the relatively new collective proceedings mechanism in the Competition Appeal Tribunal, where you can bring opt-out anti-trust class actions, we have not seen this in England before. Representative actions were developed by the Courts of Chancery in the 16th and 17th centuries and have since found their way into the modern Civil Procedural Rules (CPR, 19.6). The obstacle for claimants trying to bring a representative action has always been the requirement to show that all members of the class have the “same interest” in the claim. Many attempts have been rejected for failing to meet this exacting prerequisite. Jalla v Shell is a recent example where the Bonga community in Nigeria were not able to show sufficient identity of interest in a claim relating to an oil spill: limitation, causation and damage all varied between the 28,000 members of the group. Claimants wishing to bring group actions have therefore tended to rely on group litigation orders (GLOs) to pursue their claims. The requirement for a GLO is only that there are common or related issues of fact or law. GLOs are opt-in, however, which can be a less favorable option for claimants seeking to exert pressure on a defendant: the economics and administrative burden are far less advantageous. The unsuccessful claim by around 5,500 employees (out of 100,000 potentially affected) against Morrisons for claimed data breaches that went to the Supreme Court in 2020 was brought under a GLO.
Google said that Lloyd had not shown any basis for claiming compensation (no actual damage had been suffered). Google also said that, in any event, the court should not permit the claim to continue as a representative action. The claimants did not have the “same interest” and could not be identified. So, by definition, Lloyd had no reasonable prospect of success.
Lloyd (and his team of three QCs backed by a litigation funder) sought to counter this by deliberately framing the claim as one for uniform, per capita, compensation for “loss of control” of personal data and not pursuing claims for material damage or distress, the quantum of which could be different for different claimants. He argued that:
All that was needed was to show a loss of control of the personal data. This was the only “damage” required to pursue the claim. The claim did not depend on showing, in addition, pecuniary loss or distress.
There was no variation in the “damage” that the claimants suffered since, it was claimed, they all suffered the same loss of control. The claimants all had the “same interest”
As a result, Lloyd said, there was a reasonable prospect of success.
Interveners
There were six interveners. Among them was the Information Commissioner’s Office, taking Lloyd’s side. At the two-day hearing in April, the ICO was asked why it had not taken regulatory action. The gist of its answer was that the regime was different 10 years ago.
Supreme Court conducts an extensive review of representative actions
The court undertook a detailed review of representative actions both in England and the Commonwealth. Acknowledging that the world had changed beyond recognition since their inception, it nonetheless had to reconcile the cases and interpret the meaning of “same interest” in the light of the overriding objective of the civil procedural rules.
Conceptually the court noted that a representative action is not founded on consent; it is based on community of interest.
Bifurcated process would have been okay
The court saw no objection in principle to the case being brought in two stages: a representative action on liability seeking a declaration that damage had been suffered; and then separate actions by individual claimants or by opt-in group litigation, where appropriate, pursuing damages for material damage or distress. The court accepted that this may well not be economically viable.
The court referred to the Judge’s finding at first instance that in fact the class members were not impacted uniformly by the Safari workaround. There were 17 distinct categories of personal data. Some were sensitive personal data (eg sexuality or ethnicity). Users also would have had quite different attitudes to the use of the data by Google.
No action for “loss of control” under s13 DPA 1998
Fundamentally, the court did not accept, as a matter of statutory interpretation, that the DPA 1998 gave an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the DPA 1998 in relation to any personal data of which that individual is the subject. A claim could not exist for mere loss of control under the DPA 1998, in the way that it could for misuse of private information (see the phone-hacking case Gulati).
Unlike the Court of Appeal, the Supreme Court did not believe that EU law changed the meaning of “damage” to cover a simple loss of control. Neither the DPA 1998, nor the Data Protection Directive behind it, contemplated compensation for infringement of a legal right which causes no material damage or distress.
The need to evidence individual unlawful processing
The claim against Google was (deliberately) pleaded on a generic basis. Lloyd said all that was required was that a claimant had an iPhone during the relevant period and accessed a website via the Safari browser that participated in Google’s DoubleClick advertising service while present in England. This was insufficient. Lloyd needed to show actual unlawful processing of each individual’s data to enable the court to decide the amount of damages, if any, that should be awarded.
No permission to serve out
The court decided for all the above reasons that Lloyd had no reasonable prospect of succeeding in his claim and so permission to serve out was not given.
Comment
Given the case law, it was always going to be a stretch to fit a class action of this size and with this potential variance among the members within the representative action regime. Lloyd did his best to craft a claim specifically to do this but the Supreme Court was not persuaded.
Claimants are likely to revert to GLOs which are opt-in and collective proceedings (if there is an anti-trust angle). As the Morrisons case showed, where fewer than 10% of the class opted-in, the economics of GLOs may make them less attractive than opt-out class actions. Alternatively, some claimants may be able to make the bifurcated approach work.
It was not put in these terms but the emphasis on damages being for compensation contrasts with what lies behind regulatory fines which have a significant punitive element.
The decision also makes clear that individually or collectively there is no cause of action for mere “loss of control” under the DPA 1998.
For those who read my note on the Court of Appeal decision, it turns out it did not matter, after all, that I had a BlackBerry back in 2011.
A sigh of relief then for data controllers.
This article is authored by Jason Rix at the law firm Allen & Overy. Susanna Charlwood, Nigel Parker, Nick Gomes, Zoë Jensen, Karen Birch, and Emma Keeling all helped with this post. We received permission from the firm to republish the article for the ADCG community. The original post can be found here.