Lloyd v Google – will the gates open or shut on data breach class actions?

04 May 2021

Introduction

In this claim the claimant, Mr Lloyd, is seeking to bring a representative action against Google in relation to its collection of data, without consent, from those who used Apple’s Safari browser. The case is of great significance because (i) representative actions are very unusual in the UK and are “opt-out”. This means that they are the closest thing we have to US-style class actions where all those in the affected class are a party to the claim unless they opt out (ii) the Court is considering the extent to which those who do not suffer substantive harm or loss as a result of a breach of their data privacy rights should nonetheless be entitled to compensation. Google succeeded in the High Court (which was clearly of the view that the claim was a fee generating exercise for lawyers) but Mr Lloyd was successful in the Court of Appeal (which felt that someone who had lost control of their data as a result of the unlawful actions of a third party who had used that data without their knowledge or consent should be compensated whether or not they have suffered any damage or distress). Going into the Supreme Court the case was therefore finely balanced. We summarise below the key submissions and provide some thoughts as to the areas that engaged the interest of the Supreme Court.

Submissions from Google:

Preliminary points

  • Google argued that the general rule is that breach of statutory duty is not actionable of itself and that the severity of the breach must be taken into account before an individual is entitled to damages. Each claimant should be required to prove that harm was suffered.

  • However, Google agreed with the Court of Appeal when it said that there was a threshold of seriousness that had to be met before any damages should be awarded.

1. Damages

  • Section 13 of the Data Protection Act 1998 provided that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. ‘Damage’ meant both material and non-material damage. Nevertheless, the wording required the individual to suffer damage before they were entitled to compensation. Not every contravention would cause damage.

  • The Court of Appeal could not be right when it said that any loss of control of data is wrong and was capable of being compensated.

  • The focus should be on the seriousness of the harm not the seriousness of the breach.

2. The Representative Action

  • The rules require all members of the representative class to have the same interests and the Court should consider whether there are practical difficulties in finding whether an individual is a member of a class. The Government had considered the point and decided that it was inappropriate to introduce an opt-out collective procedure for claims in the data protection field. Therefore, it was inappropriate for the judiciary to stretch the existing rules and allow opt-out actions.

  • There were practical difficulties in identifying the affected users in terms of who had the relevant cookie within the relevant period. The individuals must be identifiable.

3. Was the Court of Appeal entitled to overrule the High Court judge?

  • Google argued that the Court of Appeal could only overturn the High Court decision on limited grounds. The Court of Appeal said that the High Court took into account two irrelevant considerations. Google disagreed and said that they were relevant:

a) The inability to identify the members of the class. Google argued that the High Court was entitled to take into account the practical factors.

b) Members of the class had not authorised the claim. Google said that the High Court did recognise this. Google argued that whilst the fact that members of the affected class had not authorised the claim was not a bar to a representative action, that did not mean that it was not a relevant consideration.

Google’s additional points

Mr Lloyd had argued that the Courts had the power to direct that any person not be included in the class. Google disagreed and said that:

  • the represented claimants may not know of the action at all;
  • even if they did, they may not know if their circumstances would be relevant or not;
  • they may also ignore the fact that they have a significant claim;
  • for a lay person to make an application to court is no simple matter, and they may incur legal costs.

Google also argued that the fact that the court would not be able to reach a uniform award of damages was fundamental and emphasised that not all members of the class will have suffered the same level of loss of control.

Submissions from Mr Lloyd

  1. Mr Lloyd argued that previous cases involving phone-hacking cases showed that damages are recoverable for loss of control and loss of autonomy and not just consequential harm and distress. Misusing private information without causing upset was still a wrong and can attract damages. Otherwise, the individual right would be meaningless.

  2. Google had suggested that young people would not suffer distress and therefore could not recover damages. This was inconsistent with Article 8 of the European Convention on Human Rights (which protects privacy and family life) and the case law.

  3. Google’s construction of section 13 of the DPA would limit the availability of other remedies (such as rectification, blocking and erasure) as these were only available if the individual had suffered damage and was entitled to compensation under section 13.

  4. In considering whether the relevant breach meets the de minimis threshold the court should concentrate on issues of seriousness and wrongdoing. The Justices challenged Mr Lloyd’s counsel on this and asked whether he should be concentrating on the level of harm rather than on the manner of the breach. Counsel explained that due to the breadth of the class action, he could not focus on the individual claims but was focusing on the nature of the breach.

  5. Mr Lloyd argued that since the claim was at a very early stage he did not know what the lowest common denominator is between all the members of the class. Notwithstanding how big or small the average damage is, consent still needed to have been given. The Justices challenged this and suggested that mere interferences that do not cause damage are unlikely to attract significant damages, if any.

  6. Mr Lloyd argued that it was likely that Google deprived the members of the class of the right to have their data processed in accordance with data protection laws. The Justices challenged this and suggested that the starting point should be an assessment of what Google did with the collected data. Unless this exercise was undertaken, it was not possible to put a value on the damage.

  7. The members of the current class had all been brought together for a common interest. If some members did not wish to be represented by the class they had the ability to opt out.

  8. A class action would be beneficial to avoid unnecessary duplication of civil claims leading to a duplication of costs. It also allowed access to justice.

  9. Mr Lloyd accepted the practical difficulties that a judge would have in identifying members of the class. However he argued that it would be extraordinary if the court ruled that the class action could not proceed before knowing anything about Google’s defence.

Mr Lloyd’s team argued that for these reasons the Court of Appeal was correct and, although the proceedings included a novel and innovative use of procedures, a representative action was a proper way to provide a remedy and access to justice.

Submissions on behalf of the Information Commissioner’s Office (“ICO”)

The ICO emphasised the importance of the right and obligation to control personal data. The ICO said that this right is not abstract and was a central feature of what citizens want and expect from data protection rules. A decision to share data was a fundamental one as well as engaging rights of privacy and autonomy.

Article 79 of the UK GDPR contained a right to an effective legal remedy against a controller or a processor. Each person whose data was mishandled should have a remedy in the courts.

What happens next?

Judgment is awaited with bated breath. A finding for Mr Lloyd will potentially open the floodgates to many more such class actions and may well lead to more claimant firms, claims management companies and litigation funders moving into this field. This would obviously be bad news for businesses and their insurers. The Supreme Court is also likely to comment on the threshold of seriousness for claims. Were it to remove the threshold an important barrier will have been taken away. If it endorses it and/or raises it this will be welcome news for businesses and their insurers.

The first impression from the BLM team who attended the hearing was that the Justices were content with the majority of Google’s submissions, with little clarification or intervention needed on the long-established current position of the law. However, when it came to Mr Lloyd, they were less forgiving, with Lord Leggatt and Lord Sales especially keen to challenge and question several of Mr Lloyd’s submissions, at times even questioning the objectives behind the action other than that of generating income for lawyers and funders. Whilst predicting how judges are thinking can be a fruitless exercise the impression we had was that there was some discomfort with Mr Lloyds’ position. If that is borne out by the judgment it will be welcome news for businesses and their insurers.

Written by Partner Tim Smith and Trainee Solicitors Nicola Howlett and Emanuele Santella

<< Back

Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to customers of BLM. Specialist legal advice should always be sought in any particular case.

Related Sectors


Who to contact


For more information about any of our news releases, please contact:

Natalie King
 +44 20 7638 2811
+44 20 7920 0361
Email Natalie

Jo Murray
+44 20 7638 2811
+44 20 7865 4849
Email Jo

|

You may also be interested in

BLM celebrates promotions

BLM celebrates promotions

Newsone month ago
Cookie Monster or One Smart Cookie?

Cookie Monster or One Smart Cookie?

Newsone month ago
This is not just any IP dispute…

This is not just any IP dispute…

News2 months ago

Not what you are looking for? Click here!