November 11, 2021
On November 10, 2021, the UK Supreme Court issued a unanimous Judgment in Lloyd v Google LLC  UKSC 50, overturning a ruling of the Court of Appeal and disallowing a data privacy class action. The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation on behalf of around four million iPhone users in England and Wales whose internet activity data were allegedly collected by Google in late 2011 and early 2012 for commercial purposes without the users’ knowledge or consent, and in alleged breach of section 4(4) of the Data Protection Act 1998 (“the 1998 Act”). The 1998 Act has since been replaced by the UK GDPR and the Data Protection Act 2018 (“the 2018 Act”). The claim was backed by substantial litigation funding.
The Supreme Court’s Judgment provides, in brief, that the procedural mechanism used to bring the claims on a collective basis (known as a “representative action”) can be used for claims of this kind, but only for the purposes of establishing liability for a breach of relevant data protection laws. The question of damages cannot be addressed through a representative action, and would have to be dealt with through individual claims, which could be managed together through group litigation case management devices (see below).
The Court held that a representative action is unsuitable for damages assessment in a case of this kind because:
The Supreme Court’s official summary of the Judgment can be found here.
In this alert we provide an overview of the Supreme Court’s decision and offer our observations on the implications of the Judgment.
Background to Collective Actions in the UK
There are a number of ways in which collective actions can be brought in the UK. Typically, such claims are brought on an “opt-in” basis. For example under the Data Protection Act 2018, individuals can authorise non-profit organisations to bring certain proceedings on their behalf, or under a group litigation order (“GLO”), courts can manage in a co-ordinated way claims which give rise to “common or related issues” of fact or law (Civil Procedure Rules (“CPR”) Parts 19.10 and 19.11).
However, there are two procedures that can be used in England and Wales to bring collective claims on an “opt-out” basis:
Summary of the Lloyd Action and Judgment
The alleged conduct by Google had given rise to a number of individual claims in the U.S. and the UK which had settled, and had been the subject of a civil settlement between Google and the U.S. Federal Trade Commission. In May 2017, the claimant, Richard Lloyd, a consumer rights activist, commenced proceedings alleging that Google breached the 1998 Act, seeking damages on behalf of himself and other affected individuals under section 13(1) of the 1998 Act. That section provides: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.” He did not allege or prove any distinctive facts affecting any of the individuals, save that they did not consent to the abstraction of their data.
Mr. Lloyd applied for permission to serve the claim on Google outside England & Wales, namely, in the U.S. As with any such application, in order to succeed, Mr Lloyd had to establish that his claim has a reasonable prospect of success (CPR Part 6.37(1)(b)), that there is a good arguable case that the claim fell within one of the so-called jurisdictional “gateways” in paragraph 3.1 of CPR Practice Direction 6B (in this case, he sought to show that damage was sustained either within the jurisdiction or from an act committed within the jurisdiction), and that England and Wales was clearly or distinctly the most appropriate jurisdiction in which to try the claim (CPR Part 6.37(3)).
Google opposed the application on the grounds that: (i) the pleaded facts did not disclose any basis for claiming compensation under the 1998 Act; and (ii) the court should not permit the claim to continue as a representative action.
At first instance, Warby J refused to grant Mr. Lloyd permission to serve Google outside the jurisdiction on the basis that: (a) none of the represented class had suffered “damage” under section 13 of the 1998 Act; (b) the members of the class did not have the “same interest” within CPR 19.6(1) so as to justify allowing the claim to proceed as a representative action; and (c) the court’s discretion under CPR Part 19.6(2) should be exercised against allowing the claim to proceed.
The Court of Appeal reversed Warby J’s judgment on each of these issues, holding that: (a) the members of the class were entitled to recover damages pursuant to section 13 of the 1998 Act, based on the loss of control of their personal data alone, regardless of whether they had suffered actual pecuniary loss or distress as a result of Google’s alleged breaches; (b) the members of the class did, in fact, have the “same interest” for the purposes of CPR 19.6(1) and Warby J had defined the concept of “damage” too narrowly; and (c) the Court should exercise its discretion to permit Mr Lloyd to bring the claim on a representative basis.
Issues Before the Supreme Court
The claimant was granted leave to appeal to the Supreme Court. The three issues for determination by the Supreme Court were:
The Supreme Court’s Judgment
The Supreme Court’s unanimous Judgment, delivered by Lord Leggatt, reverses the Court of Appeal and re-instates the order of Warby J denying permission to serve out, essentially bringing the proceedings to an end. The key issues emerging from the Judgment are as follows:
Analysis of the Lloyd Judgment
This Judgment appears to represent a significant victory for Google and other major data controllers, and a blow to funding-assisted collective actions in the data protection field in England and Wales.
While it is notable that the Supreme Court was at pains to assert the potential utility of the representative action in mass data rights violations in appropriate circumstances, it is not obvious what those circumstances are, and it seems unlikely that the representative action will represent a fruitful mechanism for bringing such claims going forward. At the very least, future claimants and their funders will need to give careful thought to the economics of bifurcated claims involving the bringing of a representative action for a declaration of liability and entitlement to compensation, followed by a large volume of coordinated damages claims for which a GLO is sought.
The historic nature of the claims offers little comfort to claimants here. The Judgment relates to the regime in place prior to entry to the GDPR. Article 82(1) of the GDPR, which is retained in law in the UK post-Brexit, provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” It is an open question whether the English courts will consider the Supreme Court’s analysis of section 13 to apply equally to Article 82(1), but the reasoning seems to apply.
Furthermore, even in observing, at paragraph 4 of the Judgment, that “Parliament has not legislated to establish a class action regime in the field of data protection”, the Supreme Court did not take the obvious opportunity to encourage Parliament to do so. Parliament will be in no doubt that, if a collective action regime is to be developed to address consumer data rights, it will need to legislate for it – it would now seem unlikely that such a culture can be developed from the procedural tools currently available to claimants.
Some claimants may find encouragement in the Judgment’s indication that the relatively new tort of misuse of private information may be used to recover “loss of control” damages, without proof of specific loss. The circumstances in which that tort will be relevant to breaches of the GDPR and the 2018 Act, however, may be limited in practice, due to the need to establish a reasonable expectation of privacy supported by evidence of facts particular to each individual claimant.
In sum, major data controllers will be content with this outcome, and the nascent plaintiff bar and funding industry in the UK will likely be turning its attention to other areas of potential multi-party actions – unless and until, of course, Parliament intervenes. With the current challenges facing the British government, that may be some time.
This alert was prepared by Patrick Doris, Doug Watson, Harriet Codd, Gail Elman, Ahmed Baladi, Vera Lukic, Ryan Bergsieker, Ashlie Beringer, Alexander Southwell, and Cassandra Gaedt-Sheckter.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group.
Privacy, Cybersecurity and Data Innovation Group:
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, email@example.com)
James A. Cox – London (+44 (0) 20 7071 4250, firstname.lastname@example.org)
Patrick Doris – London (+44 (0) 20 7071 4276, email@example.com)
Kai Gesing – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, email@example.com)
Penny Madden – London (+44 (0) 20 7071 4226, firstname.lastname@example.org)
Michael Walther – Munich (+49 89 189 33-180, email@example.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, email@example.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, firstname.lastname@example.org)
Kelly Austin – Hong Kong (+852 2214 3788, email@example.com)
Connell O’Neill – Hong Kong (+852 2214 3812, firstname.lastname@example.org)
Jai S. Pathak – Singapore (+65 6507 3683, email@example.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
David P. Burns – Washington, D.C. (+1 202-887-3786, email@example.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, firstname.lastname@example.org)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, email@example.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, firstname.lastname@example.org)
H. Mark Lyon – Palo Alto (+1 650-849-5307, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Ashley Rogers – Dallas (+1 214-698-3316, email@example.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, firstname.lastname@example.org)
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.