The implications of Lloyd v Google: Prove your loss or fail to succeed
It seems the floodgates will stay shut, at least for now...
The Supreme Court recently delivered its long-awaited judgment in the matter of Lloyd v Google LLC, bringing a conclusion that will be of interest to all potential parties to data protection disputes. In this article we consider the implications that the decision is likely to have going forwards. In particular, it was widely perceived to be a decision that could have opened the floodgates to potential significant class-actions in respect of data breaches. However, it seems that those floodgates will stay shut, at least for now.
Mr Richard Lloyd (a former director of Which? magazine and a consumer rights advocate) had issued a claim against Google alleging a breach of its duties as a data controller. The claim was brought under the Data Protection Act 1998 (“DPA 1998”), which was the applicable legislation in force at the relevant time. As Google is a Delaware corporation, Lloyd required permission to serve his claim form out of the jurisdiction, the application for which has resulted in the much-anticipated decision from the Supreme Court.
The basis of Mr Lloyd’s claim was that throughout several months in late 2011 and early 2012, cookies that were installed by Google on Apple’s Safari web browser secretly tracked millions of iPhone users’ internet activity, which enabled it to issue targeted advertising. Mr Lloyd’s claim sought to represent every resident of England and Wales that, during the time period of the alleged breach, owned and used an Apple iPhone and may have had their data collected without consent. He therefore sought to recover damages on behalf of more than 4 million people. Although the damages sought for each individual was a nominal £750, it added up to some £3 billion in total. However, Mr Lloyd still needed permission to serve outside the jurisdiction before Google even had to consider how it would defend the claim.
The application was initially refused by the High Court in 2018, but the Court of Appeal reversed that decision in 2019. Two years later and we have a final decision. The Supreme Court has reversed the decision once again and held that Mr Lloyd cannot bring a representative action against Google for unproven damages under the DPA 1998 and permission to serve outside the jurisdiction has been refused.
There were two key issues considered by the Supreme Court in determining whether the claim should be allowed to proceed.
Mr. Lloyd brought his claim under the DPA 1998, with specific reference being given to section 13 (compensation for failure to comply with certain requirements). This section entitles individuals who suffer “damage” or “distress” as a result of any breaches of the DPA 1998 by a data controller to compensation.
Herein laid the first issue – Mr. Lloyd was claiming for unproven damages, alleging that each individual in the applicable class was entitled to damages for the mere contravention of Google’s data protection obligations (i.e., by collecting data without individuals’ knowledge or consent). A nominal figure of £750 was attributed to each individual, but there was no evidence provided as to the losses each individual had suffered, or if they had indeed suffered any actual loss at all. The Supreme Court therefore had to determine whether an action could be brought under section 13 of the DPA 1998 in circumstances where there could be no proof provided of actual financial loss or personal distress.
On this issue, the Supreme Court found that it was not possible. Lord Leggat stated that without proof “that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google … a claim for damages cannot succeed.”
The judgment concludes that section 13 of the DPA 1998 does not therefore allow for an automatic award of compensation should a breach occur. Instead, proof of actual loss or distress is required.
Secondly, the Supreme Court also considered whether the claim was suitable to continue as a representative action in any event. This required Mr. Lloyd to have the “same interest” as those that he claimed to represent.
The Supreme Court found that, without determining damages for each individual in the class, and the precise circumstances of the alleged breach as it affected them, their claim would have no prospect of success. However, if damages were assessed on an individual basis, they would potentially vary in each circumstance. As such, Mr. Lloyd could not be said to have the “same interest” as the individuals in the class that he was seeking to represent. He was not therefore permitted to bring his claim as a representative action.
Whilst the DPA 1998 is no longer the leading legislation with regards to data protection, having been superseded by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, the Supreme Court judgment will still have an impact on the landscape of data protection claims and representative actions.
It is very clear that the Supreme Court does not consider a mere breach of data protection requirements to entitle an individual affected by the breach to be able to bring a complete damages claim on behalf of a whole class of individuals. Moreover, the Supreme Court reinforced the need for any claimants, not just those seeking to bring representative actions, to explain the impact that an actionable breach has had on them. There has to be actual loss or distress caused and it must be proven.
Where claimants may therefore have previously considered bringing claims for trivial breaches of data protection legislation, it is likely that they may now reconsider. Unless loss or distress can be proven, the prospects of success, in light of Lloyd v Google, seem to have significantly reduced. It may therefore be that businesses will see less opportunistic claims being brought under the DPA 2018 and GDPR, particularly in circumstances where the breach is minor and claimants are struggling to show that it has had any real impact on them. Whilst the claim itself did not consider the most recent data protection legislation, the relevant wording of the DPA 1998 is not particularly dissimilar to the current compensation provisions, meaning that claimants will likely find it difficult to draw any significant distinctions.
The case is also likely to put the brakes on any further attempts to bring mass class-actions as representative claims in respect of data breaches, not least because litigation funders will now, no doubt, be more cautious about providing financial backing to these claims going forwards. However, it remains to be seen whether data breach claimants will simply modify their approach to meet the concerns raised by the Supreme Court. For example, the judgment indicated that Mr. Lloyd could in theory have brought his claim as a representative action using a “bifurcated process”, which split the assessment of liability and quantum. In such a case, an initial decision could be taken on certain common issues of liability, such as whether Google actually breached its obligations as a data controller. If it was found to be in breach, individual claimants would then be entitled to bring their own damages claims in light of that declaration. Alternatively, there is still the option of Group Litigation Orders, which is an “opt in” regime for class actions, whereby individual claimants need to take active steps to join the group. In practice therefore, the judgment may well serve to focus claimants’ minds on demonstrating, up front, how each individual in the group can be said to have suffered loss and damage.
Either way, several similar claims had already been placed on a “pause” whilst awaiting the outcome of Lloyd v Google, so it will be interesting to see how many choose to proceed and how many attempt to modify their approach in light of this outcome.
For further information and expert advice get in touch with one of our leading data protection solicitors.