Lloyd v Google – “Doomed to fail?”- Simon Henderson and Rebecca Keating

Simon Henderson and Rebecca Keating

Introduction

The Supreme Court has handed down its much-anticipated judgment in Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50.

The judgment clarifies the law regarding (i) when damages may be awarded to individuals for the loss of control of their data and (ii) representative actions.

The Supreme Court unanimously allowed the appeal. This article highlights the key parts of the decision and the likely impact on future claims.

The Application

Google is a Delaware corporation and so the claimant, Mr Richard Lloyd, needed the court’s permission to serve the claim form on Google outside the jurisdiction (the “Application”).

There were two principal bases on which Google opposed the Application.  Google argued that:

(1) damages cannot be awarded under the Data Protection Act 1998 (“the DPA 1998”) without proof that a breach of the requirements of the DPA 1998 caused an individual to suffer financial damage or distress; and

(2) the claim in any event was not suitable to proceed as a representative action.

The Appeal

In the High Court Warby J decided both issues in Google’s favour and therefore refused permission to serve the proceedings on Google. The Court of Appeal reversed that decision. Google appealed the decision to the Supreme Court.

The Supreme Court unanimously allowed the appeal and restored the order made by Warby J. Lord Leggatt delivered the judgment, with which the other Justices agreed.

There were three key points on appeal:

1. Issue 1 – Are damages recoverable under the DPA 1998 for “loss of control” of data, without needing to identify any specific distress or pecuniary loss?
2. Issue 2 – Does the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed?
3. Issue 3 – Should the Court exercise its discretion and disallow the representative action from proceeding in any event? 

Factual Background

The claim was based on the allegation that for several months in late 2011 and early 2012, Google secretly tracked the internet activity of some 4 million Apple iPhone users in England and Wales and used the data collected without the users’ knowledge or consent for commercial purposes. Google allegedly did so to enable advertisers to target advertisements at users based on their browsing history.

The DPA 1998 was in force at the time of the alleged breaches and applied to the claim.  The DPA 1998 has since been replaced by the UK General Data Protection Regulation supplemented by the Data Protection Act 2018.

Had the judgment gone against Google, the financial impact would have been severe. As the Supreme Court acknowledged, the amount of damages recoverable per person would be a matter for argument, but a figure of £750 was advanced in a letter of claim. Multiplied by the number of people whom Mr Lloyd claimed to represent, this would produce an award of damages of the order of £3 billion (at [5]).

Supreme Court decision on the DPA 1998 claim

Practitioners familiar with this area of the law will be aware of the dearth of guidance on the assessment of damages in these types of claims. Judgments have tended to be first instance decisions and this has led to much debate and uncertainty. The Supreme Court has put forward some helpful guidance on the point in their decision – in particular as to whether damages can be claimed for loss of control only.

Lord Leggatt noted that Mr Lloyd’s argument was founded solely on section 13 of the DPA 1998, which provides that:

“an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.

Mr Lloyd’s claim was therefore limited in this regard. It is to be noted that unlike many comparable claims there was no additional claim for breach of confidence or misuse of private information.

It is worth noting the clear guidance provided at the outset of Lord Leggatt’s judgment (at [8]):

“In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result. The claimant’s attempt to recover compensation under the Act without proving either matter in any individual case is therefore doomed to fail.”

This therefore sets out the two requirements considered by the Supreme Court – [1] unlawful use of personal data and [2] that damage has been suffered.

Lord Leggatt noted that two initial points could be made about the wording and structure of section 13 (at [92]:

1. First, to recover compensation under the provision it would not be enough to prove a breach by a data controller of its statutory duty under section 4(4) of the 1998 Act: an individual is only entitled to compensation under section 13 where “damage” – or in some circumstances “distress” – is suffered as a consequence of such a breach of duty.
2. Second, it was plain from subsection (2) that the term “damage” as it is used in section 13 does not include “distress”. Lord Leggatt outlined that the term “material damage” is sometimes used to describe any financial loss or physical or psychological injury, but excluding distress (or other negative emotions not amounting to a recognised psychiatric illness). Adopting that terminology and on a straightforward interpretation, the term “damage” in section 13 therefore only refers to material damage and compensation could only be recovered for distress if either of the two conditions set out in subsection (2) are met.

Lord Leggatt went on to say that it was on any view necessary, in order to recover compensation under section 13, to prove what unlawful processing by Google of personal data related to a given individual had occurred (at [144]). On this point Lord Leggatt outlined that:

“…Even if (contrary to my conclusion) it were unnecessary in order to recover compensation under this provision to show that an individual has suffered material damage or distress as a result of unlawful processing of his or her personal data, it would still be necessary for this purpose to establish the extent of the unlawful processing in his or her individual case. In deciding what amount of damages, if any, should be awarded, relevant factors would include: over what period of time did Google track the individual’s internet browsing history? What quantity of data was unlawfully processed? Was any of the information unlawfully processed of a sensitive or private nature? What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?”

Therefore the Supreme Court held that [1] the proper interpretation of damage under section 13 of the DPA 1998 is pecuniary loss or mental distress and [2] damage must be suffered in order to seek compensation and it is not sufficient to seek compensation for ‘loss of control’ only.

Supreme Court decision on representative actions

There were two issues relevant to the representative action point:

1. Does the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed?
2. Should the Court exercise its discretion and disallow the representative action proceeding in any event?  

The points set out above regarding the assessment of damages were relevant to the Supreme Court’s assessment as to whether a representative action against Google could be taken. The assessment of damages was relevant to whether or not the same interest test was met in that a group of individuals in a representative action is restricted by the rules around the nature of the remedy sought.

Mr Lloyd had submitted that it was possible to identify an “irreducible minimum harm” suffered by every member of the class whom he represents for which a “uniform sum” of damages could be awarded (at [145]).  Lord Leggatt answered at [147] that he did not consider it necessary to enter into the merits of the issue. However, he was prepared to assume, without deciding the point, that as a matter of discretion the court could – if satisfied that the persons represented would not be prejudiced and with suitable arrangements in place enabling them to opt out of the proceedings if they chose – allow a representative claim to be pursued for only a part of the compensation that could potentially be claimed by any given individual. However, Lord Leggatt then went back to emphasise that:

• The fundamental problem is that, if no individual circumstances are taken into account, the facts alleged would be insufficient to establish that any individual member of the represented class was entitled to damages.
• This would be the case even if it was unnecessary to prove that the alleged breaches caused any material damage or distress to the individual.

The Supreme Court’s decision shows an unwillingness to award a “uniform sum” for damages without inspecting the individual circumstances of claims.

Some helpful guidance was provided around the factors that might differentiate individual data subjects as per [144] of the judgment: the period of time the individual’s internet browsing history was tracked; the quantity of data unlawfully processed; whether any of the information unlawfully processed was of a sensitive or private nature; and the use Google made of the information and any commercial benefit obtained from that use.

What is clear is that damage needs to be proved. These factors must be kept in mind, lest a claim be “doomed to fail” in the words of Lord Leggatt.

Ultimately, a representative action could be brought to establish liability. However, damages would have to be dealt with through a group action or individual claims. At [154] Lord Leggatt added: “the inability or unwillingness to prove what, if any, wrongful use was made by Google of the personal data of any individual again means that any damages awarded would be nil”.

The floodgates have therefore not been opened for ‘opt-out’ data claims but there is scope left for a representative claim seeking declaratory relief or for two-stage actions. Such claims could be brought using a “bifurcated process” [48, 58, 81]. In short this is a procedure whereby representative action procedure is used to determine common issues – for example the nature of the breach that took place – and individual issues are addressed subsequently. While this may be costly, and therefore not attractive to claimants and their funders, this has the advantage of stopping a claim being time-barred [81].

The Supreme Court held that it was unnecessary to decide Issue 3 (whether the Court of Appeal was entitled to interfere with the first instance judge’s discretionary ruling) as regardless of what view of it is taken, the claim had no real prospect of success.

Conclusion

The concluding words of Lord Leggatt leave little doubt as to the view taken about claims of this sort. At [158] of the judgment Lord Leggatt emphasised that he viewed the claim as “officious litigation, embarked upon on behalf of individuals who have not authorised it”. He continued that one of the main beneficiaries of any award of damages would be “the funders and the lawyers”.

The decision will afford relief to data controllers and provides much-needed clarification on the assessment of damages.

The question of the GDPR was “left to one side” by the court (at [16]). There is therefore a  question as to whether the Supreme Court’s conclusions will transfer across to the GDPR/Data Protection Act 2018 – although it is worth noting that the wording of section 13 of the DPA 1998 and Article 82 of the GDPR are very similar in substance.

Furthermore, a “loss of control” argument was not considered in the context of a breach of confidence or misuse of private information claim – again, however, it could readily be argued that the comments by the Supreme Court would similarly apply to such cases.

The Supreme Court has of course left open the possibility that representative actions proceed – however, given the court has rejected “loss of control” damages and made clear that damage must be proved, this is likely to impede many data claims.  

Combined with the recent decisions of the High Court in Warren v DSG Retail Limited [2021] EWHC 2168 (QB) and Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)) the trend appears to be a narrowing of the possibility of bringing speculative claims for breaches of the data protection legislation.

---

Simon Henderson

Call 1993

Rebecca Keating

Call 2017