UK Supreme Court Overturns Court of Appeal to Disallow Google Data Privacy Class Action

November 11, 2021

Click for PDF

On November 10, 2021, the UK Supreme Court issued a unanimous Judgment in Lloyd v Google LLC [2021] UKSC 50, overturning a ruling of the Court of Appeal and disallowing a data privacy class action.  The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation on behalf of around four million iPhone users in England and Wales whose internet activity data were allegedly collected by Google in late 2011 and early 2012 for commercial purposes without the users’ knowledge or consent, and in alleged breach of section 4(4) of the Data Protection Act 1998 (“the 1998 Act”). The 1998 Act has since been replaced by the UK GDPR and the Data Protection Act 2018 (“the 2018 Act”). The claim was backed by substantial litigation funding.

The Supreme Court’s Judgment provides, in brief, that the procedural mechanism used to bring the claims on a collective basis (known as a “representative action”) can be used for claims of this kind, but only for the purposes of establishing liability for a breach of relevant data protection laws. The question of damages cannot be addressed through a representative action, and would have to be dealt with through individual claims, which could be managed together through group litigation case management devices (see below).

The Court held that a representative action is unsuitable for damages assessment in a case of this kind because:

  • first, damages for mere loss of control of data (as distinct from damages for actual loss or distress caused by the data breach) are not available for breaches of the 1998 Act (although the Supreme Court intimated that they may have been for another tort, misuse of private information); and
  • second, even if such damages had been available, assessment of loss can only be determined on the basis of an individualised assessment of the alleged misuse of each individual’s data by Google.

The Supreme Court’s official summary of the Judgment can be found here.

In this alert we provide an overview of the Supreme Court’s decision and offer our observations on the implications of the Judgment.

Background to Collective Actions in the UK

There are a number of ways in which collective actions can be brought in the UK.  Typically, such claims are brought on an “opt-in” basis. For example under the Data Protection Act 2018, individuals can authorise non-profit organisations to bring certain proceedings on their behalf, or under a group litigation order (“GLO”), courts can manage in a co-ordinated way claims which give rise to “common or related issues” of fact or law (Civil Procedure Rules (“CPR”) Parts 19.10 and 19.11).

However, there are two procedures that can be used in England and Wales to bring collective claims on an “opt-out” basis:

  • A collective redress regime for competition claims, which was introduced on 1 October 2015 under the Consumer Rights Act 2015, and which provides for opt-out claims to be brought in appropriate circumstances for damages for certain breaches of competition laws (see our alert on the Supreme Court’s 2020 decision in Merricks v Mastercard for more information on these types of claims). Opt-in claims can also be brought under the Consumer Rights Act 2015 regime; and
  • The “representative action” procedure, under which Lloyd v Google was brought, in which a party brings the claim as a “representative” of a group of litigants who have the “same interest” in the claim (under CPR 19.6). The “same interest” requirement has to date been interpreted strictly by the courts as requiring the claimants to have a common interest and grievance (which generally precludes claims relying on different fact patterns) and to all benefit from the remedy sought (which generally precludes claims for different remedies).

Summary of the Lloyd Action and Judgment

Background

The alleged conduct by Google had given rise to a number of individual claims in the U.S. and the UK which had settled, and had been the subject of a civil settlement between Google and the U.S. Federal Trade Commission.  In May 2017, the claimant, Richard Lloyd, a consumer rights activist, commenced proceedings alleging that Google breached the 1998 Act, seeking damages on behalf of himself and other affected individuals under section 13(1) of the 1998 Act.  That section provides: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”  He did not allege or prove any distinctive facts affecting any of the individuals, save that they did not consent to the abstraction of their data.

Mr. Lloyd applied for permission to serve the claim on Google outside England & Wales, namely, in the U.S. As with any such application, in order to succeed, Mr Lloyd had to establish that his claim has a reasonable prospect of success (CPR Part 6.37(1)(b)), that there is a good arguable case that the claim fell within one of the so-called jurisdictional “gateways” in paragraph 3.1 of CPR Practice Direction 6B (in this case, he sought to show that damage was sustained either within the jurisdiction or from an act committed within the jurisdiction), and that England and Wales was clearly or distinctly the most appropriate jurisdiction in which to try the claim (CPR Part 6.37(3)).

Google opposed the application on the grounds that: (i) the pleaded facts did not disclose any basis for claiming compensation under the 1998 Act; and (ii) the court should not permit the claim to continue as a representative action.

At first instance, Warby J refused to grant Mr. Lloyd permission to serve Google outside the jurisdiction on the basis that: (a) none of the represented class had suffered “damage” under section 13 of the 1998 Act; (b) the members of the class did not have the “same interest” within CPR 19.6(1) so as to justify allowing the claim to proceed as a representative action; and (c) the court’s discretion under CPR Part 19.6(2) should be exercised against allowing the claim to proceed.

The Court of Appeal reversed Warby J’s judgment on each of these issues, holding that: (a) the members of the class were entitled to recover damages pursuant to section 13 of the 1998 Act, based on the loss of control of their personal data alone, regardless of whether they had suffered actual pecuniary loss or distress as a result of Google’s alleged breaches; (b) the members of the class did, in fact, have the “same interest” for the purposes of CPR 19.6(1) and Warby J had defined the concept of “damage” too narrowly; and (c) the Court should exercise its discretion to permit Mr Lloyd to bring the claim on a representative basis.

Issues Before the Supreme Court

The claimant was granted leave to appeal to the Supreme Court. The three issues for determination by the Supreme Court were:

  1. Are damages recoverable for loss of control of data under section 13 of 1998 Act, even if there is no pecuniary loss or distress?
  2. Do the four million individuals allegedly affected by Google’s conduct share the “same interest”?
  3. If the “same interest” test is satisfied, should the Court exercise its discretion and disallow the representative action in any event?

The Supreme Court’s Judgment

The Supreme Court’s unanimous Judgment, delivered by Lord Leggatt, reverses the Court of Appeal and re-instates the order of Warby J denying permission to serve out, essentially bringing the proceedings to an end. The key issues emerging from the Judgment are as follows:

  • The representative action is a long-standing “flexible tool of convenience in the administration of justice”, which might be used today in appropriate cases to bring mass tort claims arising in connection with alleged misuse of digital technologies, particularly in matters involving mass, low-value consumer claims.
  • There are limitations on the appropriateness of the use of representative actions to bring damages claims. Damages, as a remedy, by its very nature under English law, will typically require individualised assessment of loss, which requires participation of the affected parties.
  • In the case at hand, the question of liability (i.e., whether Google had breached the 1998 Act) was suitable to be brought through a representative action. The purpose of such a claim may be to obtain declaratory relief, which could include a declaration that affected persons may be entitled to compensation for the breaches identified.  However, damages would need to be assessed on an individualised basis.  The Supreme Court noted that the claimant, Mr. Lloyd, had not proposed such a two-stage approach, presumably because that declaratory relief would not itself have generated an award of damages that would provide his litigation funders with a return on their investment.
  • Section 13 of the 1998 Act does not, on its own wording, allow for damages claims on the “loss of control of data” basis pleaded by Mr. Lloyd. The Supreme Court appears to have acknowledged that “loss of control” damages may be available for the tort of misuse of private information, but held that section 13 could not be interpreted as giving an individual a right to compensation without proof of material damage or distress. Lord Leggatt indicated that, had a claim of this kind been brought, such damages would have been an appropriate way to assess loss, but no case had been brought under that tort.  Even if loss of control damages were available, there would be a need to individualised assessment of the unlawful data processing in the case of each individual claimant; again, this would be inconsistent with proceeding by means of a representative action.

Analysis of the Lloyd Judgment

This Judgment appears to represent a significant victory for Google and other major data controllers, and a blow to funding-assisted collective actions in the data protection field in England and Wales.

While it is notable that the Supreme Court was at pains to assert the potential utility of the representative action in mass data rights violations in appropriate circumstances, it is not obvious what those circumstances are, and it seems unlikely that the representative action will represent a fruitful mechanism for bringing such claims going forward.  At the very least, future claimants and their funders will need to give careful thought to the economics of bifurcated claims involving the bringing of a representative action for a declaration of liability and entitlement to compensation, followed by a large volume of coordinated damages claims for which a GLO is sought.

The historic nature of the claims offers little comfort to claimants here.  The Judgment relates to the regime in place prior to entry to the GDPR.  Article 82(1) of the GDPR, which is retained in law in the UK post-Brexit, provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” It is an open question whether the English courts will consider the Supreme Court’s analysis of section 13 to apply equally to Article 82(1), but the reasoning seems to apply.

Furthermore, even in observing, at paragraph 4 of the Judgment, that “Parliament has not legislated to establish a class action regime in the field of data protection”, the Supreme Court did not take the obvious opportunity to encourage Parliament to do so.  Parliament will be in no doubt that, if a collective action regime is to be developed to address consumer data rights, it will need to legislate for it – it would now seem unlikely that such a culture can be developed from the procedural tools currently available to claimants.

Some claimants may find encouragement in the Judgment’s indication that the relatively new tort of misuse of private information may be used to recover “loss of control” damages, without proof of specific loss.  The circumstances in which that tort will be relevant to breaches of the GDPR and the 2018 Act, however, may be limited in practice, due to the need to establish a reasonable expectation of privacy supported by evidence of facts particular to each individual claimant.

In sum, major data controllers will be content with this outcome, and the nascent plaintiff bar and funding industry in the UK will likely be turning its attention to other areas of potential multi-party actions – unless and until, of course, Parliament intervenes.  With the current challenges facing the British government, that may be some time.

This alert was prepared by Patrick Doris, Doug Watson, Harriet Codd, Gail Elman, Ahmed Baladi, Vera Lukic, Ryan Bergsieker, Ashlie Beringer, Alexander Southwell, and Cassandra Gaedt-Sheckter.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group.

Privacy, Cybersecurity and Data Innovation Group:

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.