On 10 November, the Supreme Court handed down its long-awaited decision in Lloyd v Google LLC [2021] UKSC 50. The court found unanimously for Google, overturning the Court of Appeal. Mr Lloyd’s claim will not now proceed (at least as currently formulated). 

Kelly Hagedorn

Kelly Hagedorn

The judgment rejects the proposition that data subjects affected by a non-trivial breach of data protection law may recover compensation for the ‘loss of control’ of their personal data under the Data Protection Act 1998 (DPA 1998), which was the relevant legislation for the purposes of the case. The Supreme Court decided that such claims may only succeed where each data subject, on an individual basis, can evidence their individual damage sustained. The requirement that each claimant individually must show (i) a breach of their individual data rights, and (ii) damage as a result, is likely to prevent future large-scale representative actions for data protection breaches. Many similar cases were awaiting the judgment in Lloyd and may now not be pursued.

Background

Mr Lloyd attempted to bring a representative claim against Google on behalf of about four million people allegedly impacted by a workaround affecting certain mobile phones between April 2011 and February 2012. He sought damages from Google on behalf of the class, suggesting an award of around £750 per claimant, equating to total damages of around £4bn.

Issues of data protection law

Mr Lloyd argued that, following Gulati v MGN (a case concerning the English law tort of misuse of private information and not breaches of data protection law), a breach of data rights that is non-trivial gives rise to an entitlement to compensation for ‘loss of control’ of personal data. The Supreme Court, construing s.13 DPA 1998, disagreed.  The court thought it plain that s.13 required identifiable damage or distress resulting from a contravention of the DPA 1998 to enable an actionable claim. A ‘loss of control’ of personal data alone did not suffice because it conflated the breach of the DPA 1998 with the damage caused by that breach.

This means that each individual claimant must be able to point to identifiable damage in the form of material damage or mental distress, and that the damage must be distinct from, and caused by, the breach of data rights in each case. It is not possible simply to assert that a breach of the DPA 1998 results in an automatic right to damages for affected data subjects.

The court found that comparisons with the tort of misuse of private information (MPI) are not persuasive. MPI involves strict liability for deliberate acts. Breaches of data protection law routinely concern negligence – that is, they are caused by acts that are not deliberate on the part of the party who is to compensate the victims. Consequently, and contrary to Mr Lloyd’s arguments, the two causes of action do not necessitate identical remedies.

Impact on class actions

Mr Lloyd brought his claim pursuant to the representative actions procedure found in CPR 19.6, which allows proceedings to be brought by one or more persons as representatives of others who have the ‘same interest’ in the claim.

Thomson_Oliver_HI RES COLOR

Oliver Thomson

The court noted that representative actions at scale are conceptually possible where each claimant is functionally identical. However, given that the purpose of damages is to compensate for a particular loss, in most cases the loss suffered by the individual claimants would differ and an assessment of loss would be required for each.

The court’s judgment suggested that representative actions could be brought effectively under a ‘bifurcated’ process. A representative of a class of individuals could, in theory, bring a claim in respect of a breach of data protection law to prove the circumstances of the breach and the defendant’s liability in a general sense. Armed with the court’s decision, data subjects could thereafter bring claims individually to evidence their loss and recover appropriate compensation.

A bifurcated process is unlikely to be popular in practice as large representative actions of this type are usually only feasible with the support of third-party funding. As no damages – nor the funder’s prospective return – would be recovered until the second, individual, step of the bifurcated process, funders may not consider the matters commercially attractive. Funders would have no visibility on the size of the group if the first representative action were to succeed. Depending on the data in question, individual claims may also not pass the de minimis threshold.  

It is also difficult to see how group actions would work for MPI claims. In Lloyd, the court emphasised the individualistic nature of MPI claims, given the need to assess whether the information at question was private to the data subject affected.

The judgment represents good news for data controllers, who will have been concerned by the Court of Appeal’s decision in Lloyd. It is a blow to claimant firms and their funders.

While the judgment focused on the DPA 1998, and pointedly did not discuss the UK General Data Protection Regulation (UK GDPR) or Data Protection Act 2018, it is likely that the Supreme Court’s reasoning will apply equally to the newer legislation, as the two frameworks deploy similar language. Article 82(1) GDPR states that a data subject who has suffered ‘material or non-material damage’ as a result of a breach of data protection law should have the right to compensation. The UK GDPR, however, unlike the DPA 1998, does refer to personal data breaches (as distinct from breaches of data protection law, which was the basis for Mr Lloyd’s claim) causing ‘non-material damage to natural persons such as loss of control’ (Recital 85), which may open a new line of arguments for data subjects.  

With the potential sums involved, it is perhaps likely that there will be a future test case or cases under the UK GDPR and Data Protection Act 2018, to determine if the English courts will come to the same conclusion again.

 

Kelly Hagedorn, data privacy and cybersecurity partner, and Oliver Thomson, associate in the complex commercial litigation team, at Jenner & Block