UK Supreme Court Blog

EDITORS: Dan Tench, Emma Cross, Zainab Hodgson, Francesca Knight, James Warshaw and Natalie Haefner (CMS)
Hugh Tomlinson KC, Matthew Ryder KC, Nandini Bulchandani and Daniel Rudd (Matrix)

In this post, Kenny Henderson and Alex Askew of CMS preview the appeal being heard over the next two days in the matter of Lloyd v Google LLC, which concerns a claim alleging that the appellant (‘Google’) breached its duties as a data controller to over 4m Apple iPhone users during a period of some months in 2011- 2012, when Google was able to collect and use their browser generated information.

The UK Supreme Court is set to hear the appeal in Lloyd v Google LLC, which will influence the availability and shape of class actions for data protection claims including, but not limited to, claims following data breaches.  The appeal will begin today in a two-day hearing before the Supreme Court.

In a landmark judgment in October 2019, the Court of Appeal found that:

• members of the representative class action who were subject to the unlawful collection and exploitation of data could claim damages for the ‘loss of control’ of their personal data, even if the breach of data protection law caused no pecuniary loss or distress; and
• members of the class did not need to be identifiable in practice and it was sufficient for the members to show that they had suffered the same kind of damage in order to meet the ‘same interest’ test required for the representative action procedure.

Historically, the English courts have policed the ‘same interest’ test in the representative action procedure tightly, and therefore it has been of limited utility to claimant law firms.  If the Supreme Court upholds that Court of Appeal’s decision, there is a risk of a very significant increase in data privacy class actions with corresponding risks to businesses and public sector bodies that control or process significant volumes of data, irrespective of their sector.

Background

In May 2017 Richard Lloyd filed a claim seeking damages under section 13 of the Data Protection Act 1998 (“DPA98”) for infringement of data protection rights. It was alleged that over a period of six months in 2011-2012, iPhone customers had their internet activity tracked by Google using the “Safari Workaround.” The “Safari Workaround” utilised an advertising cookie which could be activated on an iPhone without the user’s consent, whenever the user visited certain websites. This advertising cookie allowed Google to gather browser-generated information which could indicate the date and time when a website was visited, how long the person spent on the website, and which pages they viewed as well as what adverts they watched and for how long. If an IP address was obtainable, the user’s broad geographical location could potentially be identified. This information would allow Google to direct advertising to the user tailored to his or her interests.

The headline grabbing element of this case is that Richard Lloyd’s claim is not merely filed on his own behalf. Rather, he is seeking to utilise Rule 19.6 of the Civil Procedure Rules to pursue a representative action; a rarely used class action device.

The proposed class comprises an estimated four million iPhone users. Importantly, as used here, CPR 19.6 is an “opt-out” mechanism whereby persons within the parameters of the class are automatically included in the class (including a very large number of users who have no knowledge of the claim) unless they proactively choose to leave the group, i.e., they “opt-out”. Opt-out mechanisms are powerful procedural devices for aggregating claims which are individually low in value, and where there is limited incentive for class members to participate in “opt-in” mechanisms.

The issues before the Court of Appeal were whether Richard Lloyd should be granted permission to serve the claim out of the jurisdiction on Google in the United States, and whether the claim should be permitted to proceed under CPR 19.6. To answer these questions the Court had to consider whether class members had suffered damage under section 13 of the DPA98 and whether the class members had the “same interest” in the claim.

‘Loss of control’

The Court of Appeal ruled that damages could be awarded to claimants under section 13 of the DPA98, simply for loss of control of data caused by the actions of Google. This goes beyond the previously established entitlement to damages if a data breach causes distress. The Court of Appeal’s reasoning was significantly impacted by its earlier ruling in Gulati v MGN Limited [2015] EWCA Civ 1291 that, in claims for the tort of misuse of private information, damages could flow from the misuse itself and that claimants were not required to show pecuniary loss or distress. Although the cause of action in Gulati differed, the Court of Appeal noted that both the tort of misuse of private information and claims under the DPA98 are “founded on the same principle: namely, that privacy be protected”. Having regard to the EU principles of equivalence and effectiveness, the Court of Appeal concluded that the loss of control of personal data did sound in damages under section 13 of the DPA98.

Helpfully, the Court of Appeal confirmed that, as was agreed between the parties, there is a de minimis threshold to claims of this sort, and the circumstances of any data breach and the breach response will be relevant. The Court noted that the “[de minimis] threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”

Representative actions

For the purposes of CPR 19.6, all of the claimants must have the “same interest” in order to qualify as members of the class. Historically, the English courts have policed the parameters of the “same interest” test strictly: Emerald Supplies Ltd v British Airways Plc [2010] EWCA Civ 1284.

In the High Court, Warby J decided that the iPhone users did not have the same interest because they would have suffered different levels of damage, including possibly no damage at all.

The Court of Appeal took a different approach, noting that the breach had had a common impact on all members of the class, namely “the right to control their private [browser generated information]”, and that it was not necessary to consider a person by person review of the “impact (if any) of the use of their data.” Having decided that each class member had suffered the same damage, namely control over their personal data, the court concluded that the “same interest” test was met. Furthermore, the Court decided that it was sufficiently clear whether a given individual was a member of the class or not.

Implications

The availability of a procedural mechanism to bring opt-out data protection claims will be particularly concerning for businesses that control or process significant volumes of personal data. Potential exposure to opt-out claims on behalf of very large classes of data subjects could result in high-exposure claims.

In reliance on the Court of Appeal decision, a number of very large opt-out data protection class actions have been filed using the representative class action mechanism including against: SalesForce, Oracle, Marriott, Facebook, YouTube, TikTok and Experian. Data protection has traditionally been viewed as a regulatory issue, but the increase in large claims filed demonstrates GDPR is at the cusp of evolving into both a regulatory and a class action issue. The decision of the Supreme Court will clarify the scope of this evolving risk.