Lloyd v Google: No damages without proof of damage

Lloyd v Google: No damages without proof of damage

In Lloyd v Google LLC [2021] UKSC 50, the Supreme Court1 unanimously agreed that Mr Lloyd's claim against Google for breach of his (and those of 4 million other Apple iphone users) data protection rights under s13 of the Data Protection Act 1998 (the "DPA") should not proceed.

In a judgment which will have a profound effect on collective redress, both in the context of data protection litigation and more generally, and which will be welcomed by data controllers and by the cyber-insurance industry, the Supreme Court overturned the decision of the Court of Appeal (summarised here). Restoring Warby J's finding at first instance, it held that damages for breach of the DPA are not actionable without proof of financial loss or distress. While the Supreme Court disagreed with Warby J's characterisation of the claim as "officious litigation", accepting that representative actions under CPR 19.6 are available in damages claims, it held that such actions cannot proceed where there is no evidence of damage to any claimant, still less the entire class.

Summary of key points

  • Damages for non-trivial breaches of s13(1) of the DPA require proof of financial loss or distress, "loss of control" of personal data is not enough.
  • Damages for the tort of misuse of private information and damages for a claim for breach of data protection legislation are not subject to the same testThe former is a strict liability tort where damages are available per se, the latter require proof of damage.
  • The "same interest" test for representative actions does not mean that each claimant needs to have identical claims or interests. The requirement is that the representative's interests do not conflict with those of others. Providing there is no conflict, there is no reason in principle why all should not be represented by the same person.
  • Representative actions may be brought for damages claims but, save in exceptional circumstances, where the claimants have suffered the same loss, it may be preferable for these to be brought in two stages; a claim for a declaration on liability brought by a representative followed by claims for damages by individuals or groups of individuals.
  • The judgment relates only to damages claims for data protection rights under the DPA, not claims brought under the UK GDPR and the Data Protection Act 2018 or to claims for misuse of private information, and there may still be scope for representative actions to be pursued in relation to such claims.

 

Background

The background to the claim and the decisions of Warby J and Court of Appeal are summarised in our earlier article.

In brief summary, Mr Lloyd was refused permission to serve Google outside of the jurisdiction at first instance, with Warby J characterising the attempt to use a representative action as "officious litigation, embarked upon on behalf of individuals who have not authorised it."

This decision was reversed by the Court of Appeal, who concluded that the authorisation of the members of the class or otherwise was irrelevant, and that the litigation was the only way of obtaining a civil compensatory remedy for what, if proved, was a "wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit".

The main focus of the Supreme Court's decision was the circumstances in which damages can be awarded under s13(1) of the DPA, but the judgment also contains significant analysis on the representative action procedure generally, and its applicability to claims for damages.

Can damages be awarded simply for "loss of control" of personal data under s13(1) of the DPA or must there be evidence of financial loss or mental distress?

The Supreme Court concluded that s13(1) of the DPA cannot reasonably be interpreted as conferring a right to compensation for a breach without evidence of financial loss or mental distress. A distinction is drawn in the wording of the statutory provision between a "contravention" by a data controller and "damage" being suffered by an individual. Compensation is only available where the contravention leads to damage occurring, not more generally as Mr Lloyd had contended.

In Google v Vidal-Hall2, the Court of Appeal established that damages for distress could be awarded under s13(1) of the DPA but only by disapplying section 13(2) of the DPA (which provided that damages under the DPA were only available for material damage, not distress) as incompatible with EU law. The Supreme Court found no basis for Mr Lloyd's contention that EU law provided a wider meaning to the term "damage" than that given by the Court of Appeal in Vidal Hall.

Analogy with the tort of misuse of private information?

The Supreme Court also dismissed the suggestion that the principles identified in the High Court's decision in Gulati v MGN3(a claim in which damages were awarded for the "loss of control" of personal data under the tort of misuse of private information) should apply to a claim under s13(1) of the DPA.

Mr Lloyd argued that because they both derive from the same "common source", namely the right to privacy under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the "Convention"), it would be wrong to adopt different approaches to the question of damage in these claims.

However, the Supreme Court disagreed. Simply because two different legal regimes aim, in general terms, to provide protection for the same fundamental values does not mean they must do so in exactly the same way or by providing identical remedies. The protection afforded by the DPA and the Data Protection Directive extends far beyond the scope of Article 8 of the Convention. Crucially, it applies to all "personal data", not just confidential or private information in respect of which there is a "reasonable expectation of privacy".

The reasonable expectation of privacy, a critical component of the claim in Gulati, was wholly lacking in the way in which Mr Lloyd had presented this case. This point, the Supreme Court held, went to the heart of the issue: "[s]tripped to its essentials, what the claimant is seeking to do is to claim for each member of the represented class a form of damages the rationale for which depends on there being a violation of privacy, while avoiding the need to show a violation of privacy in the case of any individual member of the class. This is a flawed endeavour."

The Supreme Court also identified that the tort of misuse of private information is a strict liability tort, not a tort based on a "want of care". Data protection legislation, on the other hand, is "similar to an allegation of negligence in that it is predicated on failure to meet an objective standard of care rather than on any intentional conduct." To permit compensation for a failure to take reasonable care to protect personal data without requiring proof of material damage or distress would be "anomalous" when failure to take care to prevent personal injury or damage to tangible moveable property does require such proof. In conclusion, the analogy between the privacy tort and data protection legislation was "positively inappropriate".

User damages and alternative ways on which the claim was advanced

A claim for user damages means a claim for the wrongful use of an individual's property, where the economic value of that use can be quantified by the hypothetical fee that would have been agreed to permit use.  Because of the Supreme Court's interpretation of the requirement to prove financial loss or distress in a claim under s13(1) of the DPA, the alternative basis upon which the claim was put, that is for "user damages", was not available.

However, the Supreme Court considered the issue carefully, recognising "information about a person’s internet browsing history is a commercially valuable asset" and that "the law should not be prissy about awarding compensation based on the commercial value of the exercise of the right". It also saw no tension in asserting that information can at once be private, as well as a commercially valuable asset: "some people are happy to exploit for commercial gain facets of their private lives which others would feel mortified at having exposed to public view. Save in the most extreme cases, this should be seen as a matter of personal choice on which it is not for the courts to pass judgments".

The question as to why no claim was made by Mr Lloyd for misuse of private information (or for damages for distress under the DPA) was also considered. In Vidal-Hall, the Supreme Court noted that the claimants produced confidential schedules showing the internet use and the information tracked, which was of an extremely private nature. It observed (no doubt accurately) the difficulty in obtaining that evidence on behalf of the 4 million members of the potential opt-out claimant class might be the reason why Mr Lloyd instead sought to "break new legal ground" by applying the principles of the tort of misuse of private information to a claim under the DPA.

Should the claim be permitted to proceed as a representative action pursuant to CPR 19.6?

The decision on the availability of a claim under s13(1) of the DPA without evidence of damage or distress effectively precluded the claim from proceeding at all. However, the Supreme Court analysed the law on representative actions in detail. Although there is undeniably criticism of the approach adopted by Mr Lloyd in this case, the Supreme Court recognised the need for the "flexible tool" of representative actions, particularly in an age where digital technologies have significantly increased the potential for mass harm and, accordingly, the need for collective redress. The following points are likely to be of significance for future representative actions:

The "same interest" test

The Supreme Court emphasised that the "same interest" test must be interpreted purposively and pragmatically in order to comply with the overriding objective of the CPR and the rationale for the representative procedure. In a shift of emphasis from previous interpretations, it held that its purpose is to ensure that the representative can be relied on to conduct the litigation "in a way which will effectively promote and protect the interests of all the members of the represented class. That plainly is not possible where there is a conflict of interest between class members, in that an argument which would advance the cause of some would prejudice the position of others."

The focus on the avoidance of conflict and the motivation for all represented parties to be bound by the same judgment signals a move away from the more rigid interpretation of the "same interest" test. Instead of meaning that each claimant needs to have identical claims, the Supreme Court indicated that as long as advancing the representative's claim would not prejudice the position of others (even with divergent interests), there is no reason in principle why all should not be represented by the same person.

The Supreme Court also recognised that the modern realities of collective redress claims are very different from those prevalent at the outset of the representative action procedure. Instead of the claimant class being reliant upon one individual to "pursue vigorously lines of argument not directly applicable to their individual case", the current context is that "proceedings brought to seek collective redress are … typically driven and funded by lawyers or commercial litigation funders with the representative party merely acting as a figurehead."

The ability to "opt out"

The Supreme Court clarified that a representative action does not provide an inherent right for a member of the represented class to opt-out. There is, in principle, no need for a member of the class to even be aware of the claim in order to be bound by the result. However, it highlighted that the judge managing proceedings can impose a requirement to notify members of the class of the proceedings and provide a mechanism for opting out of the representative action or to limit the class to those who have expressly opted in, noting "the procedure is entirely flexible in these respects".

The Supreme Court also noted that, in principle, and without making a formal finding on this issue, a representative action may be brought on the basis that members of the class may be restricted in recovering the full loss they had suffered by virtue of the claim being pursued on a lowest common denominator basis4.

Damages

It is not a bar to a representative claim that the relief claimed is for damages, but the nature of damages claims (which normally require an individualised assessment) can mean a representative action is "not a suitable vehicle".

Where individualised assessment is unavoidable, the Supreme Court advocated the possibility of first deciding common issues of law or fact through a representative claim, leaving issues of quantum to be dealt with on an individual basis if necessary.

Where damages claimed in a representative action can be calculated on a basis common to all members of the class, there is no reason why the remedy cannot be pursued on that basis. Although the Supreme Court noted in relation to competition claims pursued under 47C(2) of the Competition Act 1998 that damages can be awarded on an aggregate basis and allocated under the Court's direction, save for noting that difficulties may be encountered in relation to distribution of damages in the context of representative actions, and that the rule on representative actions was silent on that point, the Supreme Court expressly declined to address it5.

Suitability of a representative action in this case

Even if its conclusion on the requirement to prove financial loss or distress were wrong, the Supreme Court held that the claim would not have succeeded as a representative action because of Mr Lloyd's failure to identify unlawful processing of data which had affected the claimant class. In the absence of evidence other than the fact that the claimant class had iphones running the relevant model at the relevant time, the Supreme Court held that the damage could not be characterised as more than "trivial"6.  

Assuming still further the conclusion that the unavailability of user damages were wrong, the Supreme Court also held that in the absence of any evidence as to unlawful processing of data, the user damages would have been valued at nil in any event by virtue of the way that the claimant class had been constructed7.  

What the Supreme Court would have been prepared to entertain was a bifurcated approach, whereby a representative action was pursued for a declaration on liability that damage had been suffered, with separate actions by individual claimants pursuing damages where financial loss or distress had been suffered parasitic on such a finding. As above, it noted that such an approach may not have been attractive, or indeed viable, for those funding the litigation. It is also worth noting that the Supreme Court's judgment envisages an involved process in this regard8.

Conclusions

The impact on collective redress

The Supreme Court has made it clear that representative actions are permissible – even in damages claims – provided they can be properly articulated and managed. It has also potentially lowered the bar for establishing the "same interest" test, placing the emphasis on the avoidance of conflicting interests rather than establishing identical claims. Therefore, we can expect more activity in this regard, particularly in cases where losses are consistent amongst members of the affected class.

With regard to the future of representative actions in the context of data breaches, the Supreme Court's decision has undoubtedly significantly restricted the scope for pursuing such claims, which will be welcomed by data controllers and by the cyber-insurance industry.

However, amongst other things it is worth noting:

  • a clear precedent has now been established in relation to the availability of damages under s13(1) of the DPA. Compensation is not available without proof of financial loss or distress. However, the Supreme Court restricted itself to consideration of the application of the DPA (which has now been repealed), not the present UK GDPR regime. Under the UK GDPR (as implemented in the UK by the Data Protection Act 2018), the compensation provision is wider, providing for redress in respect of both material and non-material damages and specifically referring to loss of control of data9 as an example of the type of damage which may flow from a personal data breach. This opens the possibility that the result may therefore have been different under the UK GDPR, albeit a linguistic distinction between contravention and damage remains in the legislation10; and
  • it has been made clear that claims for misuse of private information are actionable per se, and user damages are recoverable in such claims, meaning that in appropriate circumstances, claims which might otherwise have been pursued for breaches of relevant data protection legislation may instead be pursued for misuse of private information. However, it is worth noting in this regard that claims pursuant to Article 32 of UK GDPR arising from non-deliberate data breaches (i.e. hacks) cannot be re-characterised in this way following the decision in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (as to which see here). As the Supreme Court noted: "[t]he privacy tort, like other torts for which damages may be awarded without proof of material damage or distress, is a tort involving strict liability for deliberate acts, not a tort based on a want of care."

It therefore remains to be seen whether this really is the end of the road for representative actions in the context of breaches of data protection legislation in the English Court on the current state of the law. The position is likely to become more apparent as the various other claims which are afoot before the English Court which are being advanced on a similar basis, some of which had been stayed pending the Supreme Court's decision11, proceed.

Of course, putting to one side the viability of representative actions in the context of breaches of data protection legislation, it remains open to pursue such claims pursuant to group litigation orders ("GLOs") in any event. However, as explained in more detail in our article here, many claims which might otherwise have been pursued as representative actions are unlikely to be pursued as GLOs, as claimants (and, more importantly, their funders) may be unable to find an appropriate balance between the amount it will cost to build and manage a viable class and the amount likely to be recovered. It may be that the bifurcated approach proposed by the Supreme Court could, on further analysis, provide a potentially viable solution in this regard. However, there are obvious stumbling blocks that would need to be surmounted for this to be the case.

Statutory change?

As we reported here, in a report published by DCMS in February 2021, it was confirmed that there would be no change to the current regime to allow non-profit groups ("NPGs") to pursue opt-out data protection claims on behalf of individuals without their permission. DCMS' approach was summarised as follows:

"The government has considered the arguments for and against implementing Article 80(2) of the UK GDPR which would permit non-profit organisations to represent individuals without their authority. The current regime already offers strong protections for individuals, including vulnerable groups and children, and routes for redress. In the government’s view, there is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system."

In reaching this view specific mention was made of these proceedings as an example of the existing routes of redress available. It remains to be seen whether DCMS is now minded to reconsider whether, in fact, a new statutory regime is required to ensure that adequate access to justice is available to consumers in the context of breaches of data protection legislation. For the reasons set out above, following the Supreme Court's decision, it is highly doubtful that this is the case.

1 Lord Leggatt providing the leading judgment with which with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows agreed.

2 Vidal-Hall v Google[2015] EWCA Civ 311.

3 Gulati v MGN Limited [2015] EWHC 1482 (Ch).

4 Lord Leggatt noted: "I am prepared to assume, without deciding, that as a matter of discretion the court could - if satisfied that the persons represented would not be prejudiced and with suitable arrangements in place enabling them to opt out of the proceedings if they chose - allow a representative claim to be pursued for only a part of the compensation that could potentially be claimed by any given individual."

5 Lord Leggatt noted: "[t]he recovery of money in a representative action on either basis may give rise to problems of distribution to the members of the class, about which the representative rule is silent. Although in Independiente Morritt V-C was untroubled by such problems, questions of considerable difficulty would arise if in the present case Page 31 the claimant was awarded damages in a representative capacity with regard to how such damages should be distributed, including whether there would be any legal basis for paying part of the damages to the litigation funders without the consent of each individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not relied on such difficulties as a reason for disallowing a representative action, however, and as these matters were only touched on in argument, I will say no more about them."

6 Lord Leggatt noted: "[o]n the claimant’s own case there is a threshold of seriousness which must be crossed before a breach of the DPA 1998 will give rise to an entitlement to compensation under section 13. I cannot see that the facts which the claimant aims to prove in each individual case are sufficient to surmount this threshold. If (contrary to Page 56 the conclusion I have reached) those facts disclose “damage” within the meaning of section 13 at all, I think it impossible to characterise such damage as more than trivial. What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed. Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages."

7 Lord Leggatt noted: "the starting point would therefore need to be to establish what unlawful processing by Google of the claimant’s personal data actually occurred. Only when the wrongful use actually made by Google of such data is known is it possible to estimate its commercial value. As discussed, in order to avoid individual assessment, the only wrongful act which the claimant proposes to prove in the case of each represented person is that the DoubleClick Ad cookie was unlawfully placed on their device: no evidence is - or could without individual assessment - be adduced to show that, by means of this third party cookie, Google collected or used any personal data relating to that individual. The relevant valuation construct is therefore to ask what fee would hypothetically have been negotiated for a licence to place the DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but without releasing Google from its obligations not to collect or use any information about that person’s internet browsing history. It is plain that such a licence would be valueless and that the fee which could reasonably be charged or negotiated for it would accordingly be nil."

8 Lord Leggatt noted: "[i]n deciding what amount of damages, if any, should be awarded, relevant factors would include: over what period of time did Google track the individual’s internet browsing history? What quantity of data was unlawfully processed? Was any of the information unlawfully processed of a sensitive or private nature? What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?".

9 Recital 85 of UK GDPR notes: "A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned."

10 Article 82(1) of UK GDPR provides: "[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

11 For example, the claims against SalesForce and Oracle (Rumbul v Oracle Corporation and others), Marriott (Rumbul v Oracle Corporation and others), Facebook (Carpio v Facebook, Inc and another), TikTok (SMO A child by Anne Longfield her Litigation Friend v TikTok Inc. and others), YouTube (McCann and others v. Google Ireland Ltd.) and Experian (Williams v Experian Limited).