Case summary by Simon Cheetham QC and Sophie David (Pupil)
The Supreme Court has handed down the highly anticipated judgment in Lloyd v Google. Lord Leggatt, with whom all members of the Court agreed, analysed the appropriate use of the CPR Rule 19.6 representative procedure and clarified the position under the Data Protection Act 1998 on damages for simple “loss of control”.
The facts
The background is well-known. Google, over a period of months in late 2011 and early 2012, allegedly bypassed security settings on Apple iPhone’s Safari browser (“the Safari workaround”) in order to place a third-party cookie on millions of individuals’ iPhones whenever those users visited sites containing DoubleClick Ad content. Through those cookies, Google harvested millions of Apple iPhone users’ data. The data collected included, but was not limited to, location, age, sex, race, religion, sexuality, and interests. That data was used to generate targeted advertising, and, in turn, profit.
In so doing, Google had allegedly breached its obligations as a data controller under the DPA 1998 (the relevant legislation at the time) by processing users’ personal data without their consent or knowledge, contrary to the first data principle of the DPA 1998, and without schedule 2 or 3 justification.
The claim
Mr Richard Lloyd sought to bring a claim for breach of the DPA 1998 on behalf of the 4 million users in England and Wales and himself using the representative procedure set down in CPR Rule 19.6. That procedure requires all members of the class to have a “common interest” in the proceedings. As such, he argued that compensation could be achieved across the class on a “uniform basis” for pure “loss of control” of data using the principles set out in Gulati v MGN [2015] EWHC 1482 (Ch) (affirmed, [2015] EWCA Civ 1291), obviating the need to assess individually damage or distress on the part of any one individual.
Google opposed the application for permission to serve the claim form outside of the jurisdiction on the basis that the claim had no prospects of success, because (i) the class had differing entitlements to damages, which meant the claim was unsuited to the representative procedure, and (ii) “loss of control” damages were unavailable as a matter of law under the DPA 1998.
The outcome
The Supreme Court, overturning the Court of Appeal, agreed with Google:
Assessment of Damages and the Representative Procedure
The representative procedure allows for claims to be brought by or against individuals who fall within a represented class where each individual comprising that class has the “same interest in the claim”. The procedure has therefore commonly been used to seek declarations as to the rights of a specific group. Because the procedure does not usually allow for the participation of every member of the class, its use will be inappropriate where the individual circumstances of the representative class must be assessed in order that a remedy be granted.
Damages in English law seek to put the individual in the same position they would have been, but for the wrong suffered. Without the participation of those individuals, a proper award cannot usually be made. As such, a case in which individualised damages would require assessment would be inappropriate to the representative procedure.
Lord Leggatt could see no difficulty in theory with a “bifurcated approach” being taken in the representative proceedings. Mr Lloyd could have brought a claim on behalf of the representative class to establish whether Google was in breach of the DPA 1998, seeking a declaration to the effect that any member of the represented class who suffered damage because of the breach be entitled to claim compensation. Individual members of the class could then have sought individual assessment of those damages. [81]
Nor would there necessarily have been an issue in seeking damages as a remedy under Rule 19.6 where members of the group were all affected to the same extent. For example, if all members of the group had been erroneously charged a certain, fixed amount on a purchase or in a bill, then all claimants might be seen to have the same interest in the claim. [82]
Lord Leggatt pointed out, however, that the Safari workaround was not uniform across the class. [86] Some individuals were heavy internet users, whilst others would have engaged in little activity. The kinds of data collected and the extent of use of the data would have varied. [87] If Google were liable for the breach, then each individual’s compensation would accordingly vary and require individual assessment.
Compensation pursuant to DPA 1998
Crucial to Mr Lloyd’s case was the contention that an individual should be entitled to recover compensation under the DPA 1998 s.13 for pure loss of control of their data, “without proof of material damage or distress whenever a data controller fails to comply with any of the requirements of the Act in relation to any personal data of which that individual is the subject, provided only that the contravention is not trivial or de minimis”. [110]
That argument was based on Gulati, in which the successful pleading of the tort of misuse of private information did lead to an award of damages for loss of control of private information. Mr Lloyd argued that because both the tort and the legislation stemmed from the individual’s right to privacy, the remedies ought to be read in line with one another. In essence, Mr Lloyd sought to extend the statutory regime meaning of ‘damage’ to cover pure ‘loss of control’.
This argument fell down on a plain reading of s.13:
“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.”
First, Lord Leggatt noted that it is contrary to the legislation to consider that any breach of the DPA will give rise to compensation; the breach must be ‘non-trivial’. Second, damage or distress (following the read-down definition of s. 13 set out in Vidal-Hall v Google Inc [2016] QB 1003) on the part of the individual must be shown as a result of the breach. Neither was possible in the context of the representative action.
Importing principles applicable to the tort of misuse of personal information into the statutory damages regime was unwarranted [112-113]. As Lord Leggatt said, “there is no reason on the face of it why the basis on which damages are awarded for an English domestic tort should be regarded as relevant to the proper interpretation of the term “damage” in a statutory provision intended to implement a European directive.” [124]
The fact was that Mr Lloyd had not pleaded misuse of personal information. If he had done, ‘user damages’, awarding each class member a hypothetical ‘release fee’ for which they would have allowed Google to harvest their data might have appropriately quantified the value of the users’ loss. However, such analysis would have depended upon the individual circumstances of the users; heavy users with more sensitive or valuable data could well have sought a higher amount. [106] This would have taken Mr Lloyd’s claim outside of the representative procedure.
Finally, as Lord Leggatt said, even had it been unnecessary to show that an individual “has suffered material damage or distress as a result of unlawful processing of his or her personal data, it would still be necessary for this purpose to establish the extent of the unlawful processing in his or her individual case”. [144]
Lord Leggatt also rebuffed the Claimant’s contention that it would be possible to identify an “irreducible minimum harm” suffered by every member of the class which he claimed to represent, for which a “uniform sum” of damages could be awarded. Lord Leggatt acknowledged that such a finding would fall within the Court’s discretion in the appropriate case, but pointed out that without taking individual circumstances into account, the facts alleged on behalf of the ‘lowest common denominator’ would be insufficient to show any non-trivial breach of the DPA in any event. [147, 153]
Comment
Although LJ Leggatt agreed that “…the very simplicity of the representative rule is in some respects a strength, allowing it to be treated as “a flexible tool of convenience in the administration of justice” and “applied to the exigencies of modern life as occasion requires””, [68] the effect of the judgment will be to stymie much ‘opt-out’ collective action. Low-value claims that are based on a general assertion of distress have become that much harder, if not impossible.
In addition, in a representative action, there will generally be a mismatch of resources. The members of the class (or the representative) when faced with a company which has comparatively unlimited resources, such as Google, will likely require outside funding. That funding will rarely be forthcoming where the only remedy sought at first instance is a declaration and where the assessment of subsequent damages now needs to be considered in the light of this judgment. It may be that Lloyd has tipped the balance further in favour of more powerful players.
Finally, the DPA 1998 has been superseded by the GDPR and the DPA 2018 and the Court in Lloyd did not address the GDPR, so there is a question over whether the Court’s conclusions here would apply to the GDPR. However, GDPR Article 82(1) is similar to DPA 1998 s.13, in that it allows for compensation for both “material or non-material damage”, and Recital 85 specifically mentions loss of control as a form of “physical, material or non-material damage”. Furthermore, should the same facts in Lloyd have been within the scope of GDPR, it seems likely the representative procedure would have been considered unsuitable for the same reason.
