In November 2021, the UK’s Supreme Court handed down a widely anticipated judgment in Lloyd v Google. In its unanimous judgment, the Supreme Court dismissed Mr Lloyd’s claim, refusing to allow it to proceed by way of a representative action (i.e., opt-out class action) under English procedural law. The claim had been brought on behalf of over four million iPhone users for alleged breaches of data protection legislation by Google. Because the claim never progressed beyond this preliminary stage, which was focused solely on whether the procedural mechanism of the claim was viable, the decision did not consider the merits of the underlying claim.
The Lloyd judgment significantly limits the ability of groups of individuals to pursue data controllers and processors for breaches of data protection laws in England and Wales. Whilst this decision may be an unwelcome development for individual data subjects (and the litigation funders who have invested significant amounts of time and money in backing these types of claims), it may be welcomed by corporations who handle large amounts of personal data.
The Supreme Court’s decision turned on the fact that Mr Lloyd had sought compensation of a uniform amount for each affected individual (£750), which was held to be the incorrect approach in the circumstances and thus incompatible with the English civil procedure that governs the representative claimant regime (namely Rule 19 of the Civil Procedural Rules (“CPR 19”)). The representative party mechanism under CPR 19 requires the representative to have the “same interest” as the other persons that they represent. Whilst the mechanism is frequently used in other types of litigation, e.g., claims brought by groups of shareholders and creditors, or beneficiaries of a trust, it had never been used in a claim for mass redress under data protection legislation as Mr Lloyd had sought to do. The key question was therefore whether Mr Lloyd had the same interest as all four million affected iPhone users, with respect to the type and quantum of damage suffered.
The Supreme Court held that he did not. It favoured an “individualised evidence” approach which would involve a bespoke assessment of damages for each affected person based on several distinct factors. In this case, those factors included: (i) over what period of time Google tracked the user’s browsing activity; (ii) what quantity of data was processed (iii) whether any of that data was of a sensitive or private nature; (iv) what Google did with that information and (v) whether Google obtained a commercial benefit from such use. The degree to which damages might vary between individuals and the complicated, lengthy assessments that would need to be undertaken to ascertain each individual’s compensation made Mr Lloyd’s claim entirely unsuitable for a representative action under CPR 19.
As to where this leaves prospective claimants seeking redress for data breaches, the path to justice is now much more uncertain, but the door has not been firmly closed on such cases. The Supreme Court did not say that data breach claims cannot be brought as representative actions, just that many are unlikely to be capable of proceeding through that mechanism. One route that the court suggested would involve a bifurcated approach, in which the claim first proceeds as a representative action in order to establish liability, which is then followed by separate actions by the individuals (or a single follow-up action brought by the group on an “opt-in” basis in which there is no representative and all individuals are parties to the action). However, this is acknowledged to be difficult to manage in practice (and highly unattractive to litigation funders).
It is possible that the CPR 19 representative action could work in certain types of claims where the damage is identical for each affected individual – e.g., arising from a data breach due to a hack of a customer database in which exactly the same type of data for each customer is compromised (such as contact information and credit card details). Some parties and funders may look to pursue claims in jurisdictions outside the UK – the Netherlands has an effective class action mechanism for judicial redress (i.e., “WAMCA” claims) and is already being used in relation to GDPR redress. It may also be open to individuals to pursue claims in the United States (if there is appropriate jurisdictional nexus, such as the data controller being based there). Although an English citizen (Mr Elliott) recently had his GDPR class action against PubMatic Inc. dismissed in California, others may look to pursue similar claims in the United States now that the UK is not a viable option for such actions.
It is likely that one or more of these routes will be tested before the applicable courts over the coming year. Whilst there is no certainty that any action will succeed, it is certain that parties, lawyers and funders will be focusing their efforts on discovering ways in which such actions can be brought going forwards (if at all).
Sign up for our newsletter and get the latest to your inbox.