Lloyd v Google LLC [2021] UKSC 50: Group Litigation in Data Protection

The Supreme Court has allowed Google’s appeal in Lloyd v Google [2021] USC 50 in a unanimous decision. Lord Legatt delivered the judgment. For a summary of what happened before the case reached the Supreme Court see my previous blog article here

Group Litigation

This judgment is about group litigation in data protection. Unlike in the United States (‘US’), it is not possible to bring class action lawsuits in the United Kingdom (‘UK’), with the exception of competition law claims under section 47B of the Competition Act 1998. For group litigation claims in data protection there are therefore only two possible routes: a Group Litigation Order (‘GLO’) or a representative action. The use of the latter procedure is infrequent, and this was the first time it has been attempted in data protection.

Whereas a GLO involves the selection of one or more claims to be tried as test claims where the claimants have to ‘opt in’ to the litigation procedure, the representative procedure automatically applies to anyone within the class of members to the action. The difficulty with the ‘opt-in’ GLO procedure is that it is more costly to bring such claims because it is necessary to examine each individual claimant’s claim for merits. Further, where the potential damages are likely to be low, it is usually not financially viable to bring them.  It has also generally been shown in past litigation, that it is difficult to persuade individuals to join group actions where the amount to be paid out to each is small.[1]

The representative action procedure, set out in CPR rule 19.6, requires each individual member of the class to have “the same interest in a claim”. The representative procedure is in fact not a recent concept but originated in the early 16th and 17th centuries. The Supreme Court’s judgment goes through its history in detail, but for the purposes of this article, I consider only that which is relevant to data protection.

The Factual Background

The factual background to this case is that Mr Richard Lloyd, a former executive director of the consumer watchdog Which?, brought an action for data protection breaches against Google LLC (‘Google’). Mr Lloyd was claiming that for several months Google had been tracking the internet use of Apple iPhone users without their knowledge or consent and had profited from the use of that tracking information. It was alleged that Google placed its ‘DoubleClick Ad cookie’ (‘the cookie’) on iPhone users’ Safari web browsers when the user visited a website that contained DoubleClick Ad content. 

The cookie would collect information on other websites that the user visited, known as ‘browser generated information’, and from this Google could infer information about the user, for example religious belief, age, gender, political affiliation, income level and so on. Google would then, essentially, profile users by putting them into groups based on their browsing habits and would sell these group profiles to subscribing advertisers who could target their advertisements to individuals.

These facts had already formed the basis of a class action suit in the US, where Google had agreed a settlement of $17 million. Mr Lloyd was bringing the claim in the UK on behalf of all iPhone users with the Safari workaround at the time of the alleged secret tracking, by using the representative procedure. The claim, if successful, would have entitled some 4 million people in England and Wales to receive compensation. The claim was seeking £750 per person, making the total amount sought for damages worth around £3 billion. 

The Legal Background

The facts forming the basis of the case took place when the Data Protection Act 1998 (‘DPA 1998’) applied to data controllers who were processing personal data. Section 4(4) of the DPA 1998 imposed a duty on the data controller to comply with the data protection principles and meet certain conditions in the processing of personal data. Where ‘sensitive’ personal data was processed, it was necessary to meet additional conditions.

Section 13 of the DPA 1998 provided as follows:

“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this act is entitled to compensation from the data controller for that damage.

(2) an individual who suffers distress by reason of any contravention by a data controller are there any of the requirements of this act is entitled to compensation from the data controller for that distress if-

(a) the individual also suffers damage by reason of the contravention, or

(b) the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.”

Compensation in Representative Claims

The difficulty with the representative data protection claim was in the valuation of damages. The claimant proposed two different ways of assessing the damages that ought to be awarded to each class member with an approach that ensured a uniform award of damages. This was because individual assessment would not have been possible in the way that the representative action procedure was being used by Mr Lloyd for the claim members to have the “same interest”. 

The Supreme Court pointed out that the problems in assessing damages would not have arisen had a ‘bifurcated’ process been adopted. That is, Mr Lloyd would first have sought, using the representative procedure, a declaration that Google had breached the DPA 1998 and owed compensation to those who had suffered damage as a result of the breach(es). Then as a subsequent stage, the amount in damages to be awarded to each individual would be assessed.[2] However, as the court recognised, it is unlikely that it would have been possible to attract funding for this approach. This is because there is no financial return at the first stage, and then there would be the difficulties of the ‘opt-in’ requirement at the second stage.[3]

Instead, two methods of calculation were proposed by Mr Lloyd. The first, was to calculate uniform per capita damages on the proposition that it is possible to claim for ‘loss of control’ of personal data where there has been a non-trivial breach of the DPA 1998, under section 13 of the act, without proof of financial loss or distress. This argument relied on (i) the approach to section 13 in the case Vidal-Hall v Google Inc [2016] QB 1003, (ii) the approach to damages awarded in the case of Gulati v MGN Ltd [2015] EWCA Civ 1291, and (iii) the fact that there is a common source in actions in privacy (Article 8 of the European Convention on Human Rights (‘the Convention’)) and data protection (Article 7 of the Charter of Fundamental Rights of the European Union (‘the Charter’)).

The second method was to seek ‘user damages’ assessed on an amount that the iPhone user and Google would have (hypothetically) negotiated “for releasing Google from the duties which it breached” and which would reflect “generalised standard terms (rather than an individuated basis) on which Google does business”.[4]

Uniform Capita Damages: Loss of control of personal data

(i) Vidal Hall

In Vidal-Hall, the Court of Appeal found that section 13(2) of the DPA 1998 could not be read compatibly with Article 23 of the Data Protection Directive 95/46/EC and it was disapplied. Given that an invasion of data privacy in most cases is more likely to give rise to distress than financial loss, it was concluded that permitting only claims for financial loss conflicted with Articles 7 and 8 (the right to data protection) of the Charter. Article 7 of the Charter is essentially equivalent to Article 8 of the Convention. After this ruling it became possible to claim for damages for non-financial loss, such as ‘distress’. In the present Supreme Court judgment, both financial and non-financial loss such as distress were referred to as ‘material damage’. 

The Supreme Court found that it was not possible to interpret ‘damage’ for the purpose of section 13 of the DPA 1998 as including a contravention of the DPA 1998 without proof of material damage. While the court concluded that it is possible to claim for ‘loss of control’ of personal data, to do so would require proof that the loss of control had affected the data subject. However, the fact that a data subject has lost control of their personal data, cannot in itself give rise to compensation. The Supreme Court stated that there is a distinction to be drawn between ‘contravention’ of the DPA 1998 and ‘damage’ and that the wording of section 13(1) necessitated a cause and effect.[5]

On this basis, even if Google contravened the first data protection principle by obtaining the personal data surreptitiously through cookies installed without consent, it would be necessary to show that this caused material damage to a member of the class. The Supreme Court agreed with Mr Justice Warby’s finding at first instance ([2018] EWHC 2599 (QB)) that the different class members would have used the Internet on their phone to varying degrees in the relevant period, that the sensitivity of the personal data collected would have varied between them, and that they themselves would have different attitudes towards the collection of their browser generated information.[6]

The object in awarding compensatory damages is to put the claimant into the same position that s/he would have been had the civil wrong not occurred. Therefore, if liability were to be established against Google, then the amount recoverable from each class member would depend on a variety of circumstances that would be particular to each individual, such as how often they used the internet on their iPhone, which websites they visited, how they felt about the fact that they were being tracked without their knowledge, and so on. 

(ii) Gulati and (iii) Misuse of Personal Data

In Gulati, it was found (and upheld by the Court of Appeal) that the claimants could be compensated in a claim for misuse of private information for the loss of control of their private information and not just the distress caused by that misuse. In Gulati therefore, the claimants were compensated for the loss, or diminution, of a right to control formerly private information.

In the Court of Appeal ([2019] EWCA Civ 1599), to which Lloyd appealed the decision of Warby J, the principle established in Gulati was found to be relevant to the present case. The basis of the finding for Lloyd in the Court of Appeal was that the principle identified in Gulati applied to the assessment of damages for compensation under section 13(1) because the misuse of private information and data protection legislation come from a common source. That is, both seek to protect the fundamental right to privacy guaranteed by Article 8 of the Convention. This approach was supported by the Information Commissioner. 

The Supreme Court disagreed for the following reasons. First, it found that the wording of section 13(1) gives a clear distinction between ‘contravention’ and ‘damage’ and only provides for compensation where the contravention can be proved to have caused material damage (see above). Loss of control of personal data, as put forward in the claimant’s case as actionable in its own right, without the need to prove material damage, was not considered possible on a domestic interpretation of the Act. It was also concluded that there was no incompatibility with the approach in section 13(1) with EU law because the wording in Article 23 of the Data Protection Directive also makes the same distinction.[7]

Second, the Supreme Court did not agree with the common source argument, declaring “there is no reason on the face of it why the basis on which damages are awarded for an English domestic tort should be regarded as relevant to the proper interpretation of the term “damage” in a statutory provision intended to implement a European Directive”.[8]  The fact that the tort misuse of private information and the DPA 1998 aimed to provide “protection for the same fundamental value” did not mean that the approach taken must be equivalent or “by affording identical remedies”.[9]

Accordingly, even though the misuse of private information requires an analysis of the application of Article 8 of the Convention, the approach to awarding damages for the tort “are governed by English domestic law and not the Convention” and the common source in Article 8 of the Convention “does not justify reading across the principles governing the award of damages from one regime to the other”.[10]

The fact that a claimant is only entitled to compensation for a contravention of the DPA 1998 where the data controller has failed to exercise reasonable care, which is not a feature of the misuse of personal information, was also pointed to by the Supreme Court as a significant difference between the two causes of action.[11] It noted that the misuse of private information is “a tort involving strict liability for deliberate acts, not a tort based on a want of care”.[12]

Further, at paragraph 136 of the judgment, it was stated that the EU law principles of equivalence and effectiveness did not assist the claimant’s argument because “a claim for damages under misuse of private information at common law is not a true comparator of the claim under section 13 of the DPA 1998. The principle of equivalence can therefore have no operation”.

User Damages and commercial gain 

‘User damages’ are damages that are awarded in tort where there has been the wrongful use of someone else’s land or tangible moveable property, even though the wrongful use has not caused the physical damage or financial loss to the property. The amount of damages awarded is determined by assessing what a reasonable person would have paid for the right to use the property in the way that it was (wrongfully) used. 

For the purposes of user damages, it does not matter if the owner of the property would in fact have exercised the right to control the use of the property had another not done so.[13] OneStep (Support) Ltd v Morris-Garner [2018] UKSC 20 clarified that user damages are compensatory in nature and are awarded to compensate for the interference with a right to control the use of property where the right is a commercially valuable asset. 

Mr Lloyd proposed that the type of loss experienced by the class was unconventional but that it is possible to calculate user damages for the wrongful use of the browser generated information. His argument was that “this value can be assessed by postulating a hypothetical negotiation and estimating what fee would reasonably have been agreed for releasing the defendant from the duty which it breached”.[14]

The Supreme Court agreed that a person’s browser generated information is a commercially valuable asset and that the “underlying reality” of the case is that Google was allegedly able to substantially profit by tracking and collecting that information to sell to advertisers.[15] There was no difficulty, in principle, with the contention that an individual could be awarded compensation based on the commercial value of the exercise of the right to control private information.[16]

However, Mr Lloyd was not pursuing a claim in misuse of private information. He proposed that it was possible to apply the principles on which user damages are awarded to data protection. The problem the Supreme Court identified was that to recover compensation for user damages, even if the court had concluded that damages for loss of control without proof of material damage was possible, that the claimant would still need to establish the extent of the ‘wrongful use’ of the personal data by Google and its commercial gain.[17]

A formulation suggested by the claimant – to identify an “irreducible minimum harm” suffered by each member of the class – was also rejected by the Supreme Court. This was because to qualify as a member of the class for the representative action, all that was necessary was to have owned an iPhone with the Safari workaround application during the relevant period. It was not necessary to show that the member of the class had visited a website that participated in Google’s DoubleClick advertising service at the relevant time because no evidence on internet browsing histories had been adduced.[18]

The “lowest common denominator” for all members of the class was therefore an iPhone owner who had the cookie on their device, but who had not been wrongfully tracked (because it had not been proven) and received no targeted advertisements.[19] The threshold of seriousness to give rise to compensation under the DPA 1998, on this scenario, had not been met.[20]

Approaching the valuation by considering a hypothetical negotiation between Google and the user did not make any difference to the court’s conclusion. The starting point for this type of valuation would also require the identification of the extent of the wrongful use by Google: “only then can an estimate be made of what sum of money could reasonably have been charged for that use”.[21] However, Google would not have negotiated a fee with a member of the class because based on the lowest common denominator description above, it would have been worthless to Google to place the cookie on the user’s phone but not have been able to track or collate the information from their browsing habits.[22]

Case Comment

The Supreme Court was explicit in the judgment that they were not considering the issues with reference to the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018. Article 82 of the UK GDPR provides for the right to compensation to the data subject for an infringement of the Regulation. In similar terms to the DPA 1998, there is a relationship between ‘infringement’ and ‘damage’ such that it would be difficult to argue that there is any material difference with the previous regime. Liability is imposed on the controller in Article 82 only to the extent that it is responsible for the infringement that has caused the damage. A controller also has a defence in Article 82(3) if it “proves that it is not in any way responsible for the event giving rise to the damage”. It is therefore unlikely that the Supreme Court would have come to a different conclusion if it had been considering the UK GDPR instead of the DPA 1998.

The conclusion of the Supreme Court was not that group litigation in data protection is not possible, or that those whose personal data has been used without consent should not be compensated, or that it is not possible to claim for loss of control of personal data. Rather all this was possible, just not in the way that this particular claim had been framed. 

While the rulings of the Court of Justice of the European Union (‘CJEU’) have moved towards convergence in the approach to private life and data protection based on the Charter, the Supreme Court’s judgment shows the different path that the UK is likely to take. This judgment indicates that the judicial approach to the principles of data protection and privacy law, even though overlapping issues can arise, may be to limit their convergence. 

The CJEU has been referred a number of questions by Austria’s Supreme Court on some of the same issues that have arisen in Lloyd v Google. The CJEU has been asked to clarify whether for the purposes of Article 82 of the GDPR, a data subject is entitled to compensation for an infringement of the GDPR, or if it is also necessary to prove that damage has occurred. The CJEU has also been asked what the threshold of seriousness of the infringement must be to give rise to an award of compensation.

Post-Brexit, a CJEU ruling will of course not have any binding effect on UK courts, but it will be interesting for privacy and data protection practitioners to see the extent of the divergence of approach between Europe and the UK.

If you would like any further information or advice, I can be contacted at: privacylawbarrister@proton.me

[1] These examples were cited at paragraph 26 of the judgment: in Various Claimants v WM Morrisons Supermarkets Plc [2017] EWHC 3113(QB) of the 100,000 employees affected, less than 10,000 opted to join the action; in The Consumers’ Association v JJB Sports Plc [2009] CAT 2, although around 1.2 million people were affected by the price fixing in the sale of replica football shirts, only 130 people chose to join the action.

[2] See paragraphs 81 and 84 of the judgment.

[3] See paragraph 85 of the judgment.

[4] See paragraph 89 of the judgment.

[5] See paragraphs 120 to 123 of the judgment.

[6] See paragraph 87 of the judgment.

[7] See paragraph 121 of the judgment.

[8] At paragraph 124 of the judgment.

[9] See paragraph 124 of the judgment.

[10] See paragraphs 126 and 129 of the judgment.

[11] See paragraph 132 of the judgment.

[12] At paragraph 133

[13] See paragraphs 27 and 29 of the judgment.

[14] At paragraph 140 of the judgment.

[15] See paragraph 141 of the judgment.

[16] See paragraph 143 of the judgment.

[17] See paragraphs 144 to 148 of the judgment.

[18] See paragraph 151 of the judgment.

[19] Ibid.

[20] See paragraph 153 of the judgment.

[21] At paragraph 156 of the judgment.

[22] See paragraph 157 of the judgment.