On 10 November 2021, the UK Supreme Court unanimously rejected Mr Richard Lloyd’s attempt to bring representative proceedings against Google. Styled by the Court of Appeal as a champion of consumer protection, Mr Lloyd sought damages for approximately 4 million Apple IPhone users under section 13 of the Data Protection Act 1998 (“the DPA 1998”) after the unlawful processing of their data. He had suggested uniform damages at £750 per user which would have landed Google with a bill for £3 billion.

Background

In late 2011 and early 2012, Google had secretly tracked users’ internet usage through use of their “DoubleClick Ad cookie”. This cookie enabled Google to collect data on the users, such as the sites visited, date and time accessed and the amount of time spent on each site. Using their IP address, the cookies could sometimes even track the approximate geographical location of the users.

Since Google is a Delaware corporation, Mr Lloyd initially required the permission of the English High Court to serve outside the jurisdiction. Google contested this application on two grounds:

  1. Damages cannot be awarded under the DPA 1988 for “loss of control” of data without proof that it caused financial damage or distress; and
  2. The claim in any event is not suitable to proceed as a representative action.

In the High Court[1], Warby J refused permission to serve the proceedings on Google, concluding that data protection damages under the DPA 1988 cannot be awarded without proof that the breach caused the individual to suffer financial damage or distress. However, the Court of Appeal[2] reversed this decision. The leading judgment was delivered by Sir Geoffrey Vos who stated that a representative action was the only way to obtain a civil compensatory remedy for ‘wholesale and deliberate misuse of personal data without consent undertaken with a view to commercial profit’.

In the Supreme Court, Lord Leggatt gave the judgment, with which Lord Reed, Lady Arden, Lord Sales and Lord Burrows agreed. In doing so, they allowed Google’s appeal.

Claiming damages for the representative class

Except in the field of competition law, the UK Parliament has not enacted legislation to allow a single individual to claim redress on behalf of a class of people similarly affected by the alleged wrongdoing. Mr Lloyd thus sought to rely on Part 19.6(1) of the Civil Procedure Rules:

Where more than one person has the same interest in a claim (a) the claim may be begun; or (b) the court may order that the claim be continued, by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.

Lord Leggatt first provided an extensive analysis of collective redress in English law with an explanation of preceding case law and the treatment of representative actions in the Commonwealth.

He acknowledged that the development in digital technology adds to the potential for mass harm, and that it is thus necessary to reconcile the inconvenience or impracticality of litigating multiple individual claims with a similar inconvenience or impracticality of making every prospective claimant a party to one claim.

He then explained that the scope for claiming damages in representative proceedings is limited by the compensatory principle under which damages are awarded so as to put claimants in the position they would have been had the wrong not occurred. To do so, this often requires individualised assessments. It was not insignificant that Warby J had found that  “…some affected individuals were ‘super users’ – heavy internet users. They will have been ‘victims’ of multiple breaches, with considerable amounts of [browser generated information] taken and used throughout the Relevant Period. Others will have engaged in very little internet activity”.

Mr Lloyd as sole representative did not share the same interest as all individuals affected by Google’s breach of duty and thus could not make a representative action claim on behalf of others affected.

The lowest common denominator

Mr Lloyd had also identified an “irreducible minimum harm” suffered by every member of the class whom he sought to represent and submitted that this could provide the basis on which damages are awarded. This “irreducible minimum harm” threshold could be satisfied if an individual had accessed

a website participating in Google’s DoubleClick advertising service on one occasion.

Lord Leggatt summarised the lowest common denominator as “someone whose internet usage – apart from one visit to a single website – was not illicitly tracked and collated and who received no targeted advertisements as a result of receiving the DoubleClick Ad cookie.” On this basis, however, there would be no evidence Google collected or used personal data relating to that person so as to found a claim for damages.

Claiming damages for loss of control

As an alternative to demonstrating material damage for each individual, Mr Lloyd claimed that an individual is entitled to recover compensation under section 13 DPA 1998 whenever a data controller fails to comply with any of the requirements of the DPA 1998 in relation to any personal data of which that individual is the subject, provided the contravention is not trivial or de minimis.

Data Protection Act section 13:

  • 13 (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
  • (2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
    • (a) The individual also suffers damage by reason of the contravention, or
    • (b) The contravention relates to the processing of personal data for the special purposes.

On analysis of the statutory wording, Lord Leggatt stated that it “draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention.”

He then drew on EU law and article 23 of the Data Protection Directive, which section 13 of the DPA 1998 was meant to implement, in order to ascertain whether the term “damage” in article 23 could be interpreted as extending beyond material damage and distress. He concluded there was no reason to afford “damage” a wider interpretation as no authority had been cited in favour of such an interpretation, either generally in EU law or in the specific context of article 23, and it had not been asserted that any national laws had done so either.

What next?

This case is undoubtedly a blow for claimants seeking to bring claims in England and Wales for damages for breaches of data protection legislation. Whilst Lord Leggatt only considered the statutory provisions of the DPA 1998, which have been superseded by the Data Protection Act 2018 (“the DPA 2018”) following the introduction of the General Data Protection Regulation (the “GDPR”), in several respects the provisions of the DPA 2018 are not dissimilar from the statutory regime which it has replaced. Again, a distinction is drawn in the GDPR between the act giving rise to the damage and the damage itself. In these respects, whilst it is open to argument, it would not be unreasonable to expect the UK courts to take a similar approach under the new legislation to the approach taken in Mr Lloyd’s claim.

Whilst members of the public become more aware of their data protection rights and litigation on this topic is on the rise, this case may also stem the tide of class actions and minor data breach claims currently being made, not least because it could make third party funders and ATE insurers more cautious about taking on such cases. Even if claimants endeavour to find a way around the representative class issue, this case also has a wider bearing on data protection related claims more generally as it demonstrates that damages cannot be claimed for loss of control generally and claims must be non-trivial and provide actual evidence of damage.

Lloyd v Google joins a number of recent court decisions on triviality and other causes of action that are usually pleaded in addition to breach of data protection laws (see, for example, our own blog on Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) and The Inadvertent Data Breach blog published on Jan 20 2022. It is to be hoped that, given this courtroom trend, claimants will start to take a more focused approach, reducing the number of speculative or trivial claims and concentrating their fire power on more distressing or egregious breaches and where there is something actually worth fighting about.

[1] Lloyd v Google LLC [2018] EWHC 2599 (QB)

[2] Lloyd v Google LLC [2019] EWCA Civ 1599