Background: old facts, new claim?
This case (and the now-settled Vidal-Hall claims) all derive from Google’s alleged historic use of the ‘Safari Workaround’, which enabled the tech firm to track iPhone users’ internet browsing habits without their knowledge and in circumvention of Apple’s Safari’s protections against third party cookies.
What was novel about this case was that Mr Lloyd (ex-Chairman of the consumer group Which? and backed by the litigation funders Therium), was attempting to bring the claim as an ‘opt-out’ representative action under CPR 19.6. This “unusual and innovative use of the representative procedure” in the words of the Court of Appeal, was designed to ensure all iPhone users were treated as having the same interest in the claim against Google – said to total c£3bn – and avoid the need (for the litigation funders) to identify and sign them up individually. If successful, it could have opened the door procedurally to many more data privacy class actions, such as those already in train in relation to TikTok, Facebook and Marriott.
As Google LLC is based in the US, as an initial phase of his claim, Mr Lloyd applied to the court for permission to serve proceedings on Google outside of the jurisdiction. The High Court had initially dismissed his application and refused to allow his case to proceed as a representative action, before the Court of Appeal overturned the High Court’s decision.
Supreme Court judgment
The Supreme Court overturned the Court of Appeal’s decision. Two key elements of the decision were:
- compensation may only be awarded in statutory claims for ‘loss of control’ of personal data where the individual has suffered material damage, such as financial loss or distress. A mere loss of control does not automatically lead to a right to compensation under the DPA 1998. Though there may be different arguments in a misuse of private information claims (following Gulati), this approach to statutory claims chimes with the ‘threshold of seriousness’ established by the Court of Appeal, alongside recent findings that anxiety resulting from a breach of data privacy laws that falls short of ‘clinically recognisable psychiatric illness’ cannot constitute damage sufficient for an action (Warren v DSG Retail and Veale Wasbrough Vizards).
- individuals’ data is personal to them: the unique circumstances of individual class members cannot be reduced to a ‘lowest common denominator’ to support claims driven by litigation funders. It is not possible to recover damages without establishing that the alleged breach by the data controller caused the alleged damage for the relevant individual(s) in the class (which should take into account factors such as the period of time over which the breach occurred, the quantity of data unlawfully processed, the sensitive or private nature of the information, and its commercial use and value to the data controller).
It is worth noting here that the decision brings the legal position in line with the UK Government’s conclusion in February 2021 (following a call for views by the Department for Digital, Culture, Media and Sport) that the case for introducing an opt-out class action procedure into UK law is not strong enough.
However, in what will no doubt become the leading judgment on representative actions, the Supreme Court did allow a broader and more flexible approach to the representative action rule than had previously been seen, for example in Emerald Supplies. Critically, the Court suggested that a two-phase process may be available whereby a representative action could proceed on issues of liability but then be followed by an individualised assessment of damages. As Lord Leggatt recognised, it is difficult to see how such structure could be economic for litigation funders going forward. Having said that, it has been reported that the claim against TikTok, brought by the ex-Children’s Commissioner and which had been paused until the Supreme Court's decision in Lloyd v Google, will proceed as planned. We may therefore still see some representative actions for data privacy claims going ahead, albeit perhaps not through open floodgates.