Litigation

The Supreme Court’s Decision in Lloyd v Google: What Impact on UK Mass Claims?

By: Lord Goldsmith QC, Patrick Swain, Christopher Boyne, Conway Blake, Robert Maddox, Tom Cornell, Mark McCloskey, Sara Ewad and Amelia Blefari November 12, 2021

Overview

In a much anticipated decision, the UK Supreme Court has unanimously decided that a mass claim brought against Google by Mr Richard Lloyd, on behalf of a class that could include as many as 4.4 million iPhone users (the “iPhone Users”), cannot proceed, as currently constituted, as a ‘representative action’ in the English courts.

The decision is the latest in a long—and rapidly proliferating—line of cases grappling with the scope of representative actions in the United Kingdom. The decision makes clear that the scope of the representative action procedure is relatively narrow, and that the courts will closely scrutinise whether claimants have satisfied the strict requirements for a representative action (namely, whether the claimants have demonstrated that they have the “same interest” in the claim). Consequently, unless Parliament intervenes and enacts new legislation, the English legal system remains without a broad U.S.-style ‘opt-out’ class action mechanism.

Lloyd v Google: the Background

A decade ago, Apple’s default web browser on iPhones, Safari, blocked all third-party cookies by default. However, Apple introduced exceptions to permit certain websites to properly function. Between August 2011 and February 2012, Google used those exceptions to place its ‘DoubleClick Ad’ cookie on iPhone devices without the knowledge or consent of the user (the so-called ‘Safari Workaround’). It was alleged that the cookie permitted Google to collect vast swathes of data about users, such as what advertisements the user viewed, the date and time of the user’s visit on a certain webpage, and even their geographical location. Google was then able to collate and sell that data to advertisers.

Before any action had been taken in the United Kingdom, the U.S. Federal Trade Commission had already determined that the ‘Safari Workaround’ breached U.S. privacy laws, fining Google US$ 22.5 million in 2012. In England and Wales, as many as 4 million iPhone users were impacted by the Safari Workaround, leading to Mr Lloyd—a consumer rights activist—commencing legal proceedings against Google LLC in the English courts in 2017.

Mr Lloyd alleged that Google breached its duties as a data controller under the Data Protection Act 1998 (“DPA”) when it implemented the ‘Safari Workaround’. He initiated a representative action (an ‘opt-out’ group action procedure), seeking £750 in damages from Google for himself and each of the iPhone Users, exposing Google to potential liability of £3 billion.

Pursuant to applicable civil procedure rules, Mr Lloyd required the Court’s permission to serve the claim on Google outside the jurisdiction in—the United States—its place of domicile. Google challenged the application on the basis that the claim had no real prospects of success, because: (i) damages could not be awarded under the DPA without proof of financial damage or distress; and (ii) the claim was in any event unsuitable to proceed as a representative action. Google was initially successful before the first instance judge in 2018. This was reversed by the Court of Appeal in 2019.

The Supreme Court

The Supreme Court was asked to determine two issues:

Whether damages are recoverable by an individual for the ‘loss of control’ over his or her data under s 13 of the DPA, without showing specific financial loss or emotional distress; and
Whether the iPhone Users shared the “same interest” in the proceedings in accordance with UK Civil Procedure Rule (“CPR”) 19.6, so that Mr Lloyd could bring a representative action on behalf of the class of over 4 million iPhone users.

The Supreme Court answered both questions in the negative, thereby overturning the decision of the Court of Appeal and affirming the High Court’s decision refusing permission for the representative claim to proceed against Google.

Mr Lloyd’s claim was premised on section 13(1) DPA, which entitles an individual who “suffers damage by reason of any contravention by a data controller” of the DPA to compensation from the data controller. The putative represented class—the iPhone Users—consisted of everyone in England and Wales who owned an Apple iPhone between 2011–2012, and who had the DoubleClick Ad cookie placed on their device through the Safari Workaround. This constituted a breach of the DPA principally because there had been a failure to obtain user consent.

A key issue before the Supreme Court was whether compensation for the alleged breaches of data protection law had to be individually assessed in the case, given that s 13(2) DPA only allows compensation for individuals who suffer “distress by reason of any contravention by a data controller of any of the requirements of this Act … if… the individual also suffers damage by reason of the contravention…”. A representative action can only be brought where the representative(s) and the class have the “same interest” in the claim. The courts have interpreted this to mean that representative action can only proceed if the claim does not require the assessment of the individual circumstances of class members (e.g., individual damages assessments). For this reason, Mr Lloyd sought to formulate the claim in such a way as to avoid the need for any individuation. He argued that the Court could award damages to each class member on the basis of the ‘lowest common denominator’, because the class had suffered an “irreducible minimum harm” in the “loss of control” over their personal data by virtue of the mere breach of the DPA. As a result, a “uniform sum” of damages could be awarded to each individual for loss suffered.

The Supreme Court rejected Mr Lloyd’s case on the basis that the statutory language of the DPA made it clear that the damage for which compensation was sought had to be suffered by reason of the data controller’s breach. The contravention of the DPA, and the damage that resulted from it required two separate enquiries, and it was necessary to “show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result” (emphasis added). This meant that a more extensive factual enquiry would have to be undertaken for individuals claiming damages from Google.

The Court’s finding also proved fatal to Mr Lloyd’s argument that by claiming ‘uniform’ damages he had avoided the need for the Court to embark on an individualised assessment of damages in each case. The Court found that such a claim was not viable because each class member needed to prove damage, and the effect of the Safari Workaround was not uniform across the represented class. Some affected individuals might have been heavy Safari users such that a considerable amount of their data was collected; while others might have engaged in minimal internet activity. It also could not be assumed that the exact same data was collected from each individual, or that they were collated or stored in the exact same way.

Therefore, if liability was established, different awards of compensation would have to be made to different individuals to ensure that they would adequately be compensated and placed in the position had the breach not occurred. Such an individuated approach was at odds with the operation and rationale of the representative—to efficiently dispose of claims by binding all members of a represented class with a single judgment.

Comments

The decision in Google confirms that the English Courts are taking a strict approach to the “same interest” test that must be satisfied before a representative action can proceed. If there are issues in a mass claim that would require an individual, case-by-case assessment, then it will be difficult for the action to proceed on a representative basis.

The Supreme Court recognised that Mr Lloyd could have pursued a representative action in order to establish whether Google was in breach of the DPA 1998, with the remedy being a mere declaration that any member of the represented class who suffered damage by reason of that breach would be entitled to compensation at their own suit. However, the Court observed that such an approach would have required Mr Lloyd’s lawyers to undertake considerable work before commencing the claim, in order to determine whether an individual fell within the relevant class of claimants. This would have increased the costs of managing the claim, and would not have generated any immediate financial return for the litigation funders or any members of the represented class. This would have made the claim far less appealing to the third-party funder, whose participation was critical for financing the claim.

By limiting representative actions in this way, the Supreme Court has, at least for the time being, hobbled the business model developed by claimant lawyers for bringing mass claims for breaches of data protection law. Failing any intervention by Parliament, the courts’ strict interpretation of the “same interest” test, and of the scope of the DPA, may well dampen the recent uptick in representative actions in the UK courts in the data protection sphere and beyond.

Author Lord Goldsmith QC

Lord (Peter) Goldsmith QC, PC, London Co-Managing Partner and Chair of European and Asian Litigation, joined Debevoise in 2007. Lord Goldsmith served as the UK’s Attorney General from 2001 to 2007, prior to which he was in private practice as one of the leading barristers in London. Lord Goldsmith acts for a variety of clients alongside his role as Chair of the firm’s European and Asian litigation practices, in arbitration and litigation in the United Kingdom and other countries. He is a QC and appears regularly in court in the United Kingdom and elsewhere, including Cayman where he has also been admitted to practise, as well as in arbitration.

Author Patrick Swain

Patrick Swain is a partner based in the London office, where he is a member of the Litigation Department. Mr. Swain’s practice focusses on commercial disputes. He has guided clients through high profile disputes and claims in a variety of contexts, including M&A-related and other shareholder disputes, commercial fraud claims, professional negligence litigation and contentious insolvency.

Author Christopher Boyne

Christopher Boyne is a partner based in the London office, where he works in the Litigation Department. Mr. Boyne’s practice focuses on complex litigation and he has wide-ranging commercial litigation experience across a wide variety of industries and geographies including financial institutions and multinational corporations.

Author Conway Blake

Conway Blake is a member of the firm’s International Dispute Resolution Group, based in London. Dr. Blake represents corporate clients, sovereigns and international organisations on a range of contentious matters, particularly in investor-state arbitration, public international law disputes and commercial arbitrations governed by various substantive laws and conducted under the major arbitral rules.

Author Robert Maddox

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author Tom Cornell

Tom Cornell is an associate (barrister) in the firm’s International Dispute Resolution Group, resident in London. His practice focuses on international arbitration and complex multijurisdictional litigation. Mr. Cornell represents corporate clients, sovereigns and international organisations on a range of contentious and non-contentious matters, particularly in investor-state arbitration, public international law disputes, commercial arbitrations and litigation in the English courts. He also has experience of anti-corruption, extradition and related criminal investigations, including parallel litigation in the civil courts.

Author Mark McCloskey

Mark McCloskey is an associate in the firm’s International Dispute Resolution Group, resident in the London office. Mr. McCloskey’s practice includes contentious and advisory work on a range of complex international law issues, including in international investment and commercial arbitration, human rights, public international law and commercial litigation.

Author Sara Ewad

Sara Ewad is an associate in the London office and a member of the firm’s International Dispute Resolution Group.

Author Amelia Blefari

Amelia Blefari is a litigation associate in the London office and a member of the International Dispute Resolution Group. She has acted in a range of commercial disputes and has experience representing a broad array of international clients in litigation and arbitration proceedings.

China Publishes New Draft Measures on Outbound Data Transfers

The FTC’s Strengthened Safeguards Rule and the Evolving Landscape of Reasonable Data Security

Related Posts

European Data Protection Roundup – December 2023

FTC Sets Baseline Framework for “Algorithmic Fairness” in Action Involving Use of Facial Recognition Technology

Erez Liebermann to speak at Incident Response Forum Ransomware 2024