In a much anticipated decision, the UK Supreme Court has unanimously decided that a mass claim brought against Google by Mr Richard Lloyd, on behalf of a class that could include as many as 4.4 million iPhone users (the “iPhone Users”), cannot proceed, as currently constituted, as a ‘representative action’ in the English courts.
The decision is the latest in a long—and rapidly proliferating—line of cases grappling with the scope of representative actions in the United Kingdom. The decision makes clear that the scope of the representative action procedure is relatively narrow, and that the courts will closely scrutinise whether claimants have satisfied the strict requirements for a representative action (namely, whether the claimants have demonstrated that they have the “same interest” in the claim). Consequently, unless Parliament intervenes and enacts new legislation, the English legal system remains without a broad U.S.-style ‘opt-out’ class action mechanism.
Lloyd v Google: the Background
A decade ago, Apple’s default web browser on iPhones, Safari, blocked all third-party cookies by default. However, Apple introduced exceptions to permit certain websites to properly function. Between August 2011 and February 2012, Google used those exceptions to place its ‘DoubleClick Ad’ cookie on iPhone devices without the knowledge or consent of the user (the so-called ‘Safari Workaround’). It was alleged that the cookie permitted Google to collect vast swathes of data about users, such as what advertisements the user viewed, the date and time of the user’s visit on a certain webpage, and even their geographical location. Google was then able to collate and sell that data to advertisers.
Before any action had been taken in the United Kingdom, the U.S. Federal Trade Commission had already determined that the ‘Safari Workaround’ breached U.S. privacy laws, fining Google US$ 22.5 million in 2012. In England and Wales, as many as 4 million iPhone users were impacted by the Safari Workaround, leading to Mr Lloyd—a consumer rights activist—commencing legal proceedings against Google LLC in the English courts in 2017.
Mr Lloyd alleged that Google breached its duties as a data controller under the Data Protection Act 1998 (“DPA”) when it implemented the ‘Safari Workaround’. He initiated a representative action (an ‘opt-out’ group action procedure), seeking £750 in damages from Google for himself and each of the iPhone Users, exposing Google to potential liability of £3 billion.
Pursuant to applicable civil procedure rules, Mr Lloyd required the Court’s permission to serve the claim on Google outside the jurisdiction in—the United States—its place of domicile. Google challenged the application on the basis that the claim had no real prospects of success, because: (i) damages could not be awarded under the DPA without proof of financial damage or distress; and (ii) the claim was in any event unsuitable to proceed as a representative action. Google was initially successful before the first instance judge in 2018. This was reversed by the Court of Appeal in 2019.
The Supreme Court
The Supreme Court was asked to determine two issues:
- Whether damages are recoverable by an individual for the ‘loss of control’ over his or her data under s 13 of the DPA, without showing specific financial loss or emotional distress; and
- Whether the iPhone Users shared the “same interest” in the proceedings in accordance with UK Civil Procedure Rule (“CPR”) 19.6, so that Mr Lloyd could bring a representative action on behalf of the class of over 4 million iPhone users.
The Supreme Court answered both questions in the negative, thereby overturning the decision of the Court of Appeal and affirming the High Court’s decision refusing permission for the representative claim to proceed against Google.
Mr Lloyd’s claim was premised on section 13(1) DPA, which entitles an individual who “suffers damage by reason of any contravention by a data controller” of the DPA to compensation from the data controller. The putative represented class—the iPhone Users—consisted of everyone in England and Wales who owned an Apple iPhone between 2011–2012, and who had the DoubleClick Ad cookie placed on their device through the Safari Workaround. This constituted a breach of the DPA principally because there had been a failure to obtain user consent.
A key issue before the Supreme Court was whether compensation for the alleged breaches of data protection law had to be individually assessed in the case, given that s 13(2) DPA only allows compensation for individuals who suffer “distress by reason of any contravention by a data controller of any of the requirements of this Act … if… the individual also suffers damage by reason of the contravention…”. A representative action can only be brought where the representative(s) and the class have the “same interest” in the claim. The courts have interpreted this to mean that representative action can only proceed if the claim does not require the assessment of the individual circumstances of class members (e.g., individual damages assessments). For this reason, Mr Lloyd sought to formulate the claim in such a way as to avoid the need for any individuation. He argued that the Court could award damages to each class member on the basis of the ‘lowest common denominator’, because the class had suffered an “irreducible minimum harm” in the “loss of control” over their personal data by virtue of the mere breach of the DPA. As a result, a “uniform sum” of damages could be awarded to each individual for loss suffered.
The Supreme Court rejected Mr Lloyd’s case on the basis that the statutory language of the DPA made it clear that the damage for which compensation was sought had to be suffered by reason of the data controller’s breach. The contravention of the DPA, and the damage that resulted from it required two separate enquiries, and it was necessary to “show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result” (emphasis added). This meant that a more extensive factual enquiry would have to be undertaken for individuals claiming damages from Google.
The Court’s finding also proved fatal to Mr Lloyd’s argument that by claiming ‘uniform’ damages he had avoided the need for the Court to embark on an individualised assessment of damages in each case. The Court found that such a claim was not viable because each class member needed to prove damage, and the effect of the Safari Workaround was not uniform across the represented class. Some affected individuals might have been heavy Safari users such that a considerable amount of their data was collected; while others might have engaged in minimal internet activity. It also could not be assumed that the exact same data was collected from each individual, or that they were collated or stored in the exact same way.
Therefore, if liability was established, different awards of compensation would have to be made to different individuals to ensure that they would adequately be compensated and placed in the position had the breach not occurred. Such an individuated approach was at odds with the operation and rationale of the representative—to efficiently dispose of claims by binding all members of a represented class with a single judgment.
The decision in Google confirms that the English Courts are taking a strict approach to the “same interest” test that must be satisfied before a representative action can proceed. If there are issues in a mass claim that would require an individual, case-by-case assessment, then it will be difficult for the action to proceed on a representative basis.
The Supreme Court recognised that Mr Lloyd could have pursued a representative action in order to establish whether Google was in breach of the DPA 1998, with the remedy being a mere declaration that any member of the represented class who suffered damage by reason of that breach would be entitled to compensation at their own suit. However, the Court observed that such an approach would have required Mr Lloyd’s lawyers to undertake considerable work before commencing the claim, in order to determine whether an individual fell within the relevant class of claimants. This would have increased the costs of managing the claim, and would not have generated any immediate financial return for the litigation funders or any members of the represented class. This would have made the claim far less appealing to the third-party funder, whose participation was critical for financing the claim.
By limiting representative actions in this way, the Supreme Court has, at least for the time being, hobbled the business model developed by claimant lawyers for bringing mass claims for breaches of data protection law. Failing any intervention by Parliament, the courts’ strict interpretation of the “same interest” test, and of the scope of the DPA, may well dampen the recent uptick in representative actions in the UK courts in the data protection sphere and beyond.