Lloyd v Google – What now for mass data breach and other consumer claims?

In Lloyd v Google LLC [2021] the Supreme Court blocked a “US-style” class action which would have opened the floodgates for mass compensation claims for “loss of control” over users’ personal data without having to prove actual loss.

The decision is good news for businesses and has implications for consumer class actions generally. Our Commercial Disputes team considers the implications.

Class actions in England and Wales

Digital technologies have increased the potential for mass harm for which compensation may be sought.  However, bringing a class action, where a single person brings a claim and obtains compensation on behalf of a class of people who have been affected in a similar way by alleged wrongdoing, is difficult in England and Wales, outside the field of competition law which has a dedicated procedure for such claims.

What was the background to Lloyd v Google?

Mr Lloyd, a former director of the Consumers’ Association, backed by a litigation funder, sought to bring a claim against Google using the little-used “representative action” procedure.  The procedure, which is similar to a “US-style” class action, allows a claim to be brought by one person, as representative of others with identical claims, without the need for the latter to proactively “opt in” (which is often not practical where a large number of people are involved, and the value of individual claims is small).

The claim was on behalf of a class of more than four million UK-resident iPhone users.  It was alleged that some of their internet activity was secretly tracked by Google, for commercial purposes, in 2011/2012, in breach of Google’s duties as a data controller under the Data Protection Act 1998 (DPA) which was the law in force at the time (having since been replaced by the UK GDPR and the Data Protection Act 2018).

Compensation was claimed on behalf of the entire class under section 13(1) of the DPA which provided that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.

To meet the requirement that the claims were identical in terms of the amount of compensation sought, Mr Lloyd argued that “damage” in section 13(1) included “loss of control” over personal data.  As a result, compensation could be awarded for (non-trivial) loss of control over personal data without the need to prove that class members had individually suffered financial loss or distress.  A common “minimum harm” sum of £750 for each class member was proposed, totalling approximately £3 billion.

Mr Lloyd needed the court’s permission to serve the claim on Google in the USA. Google objected on the basis that (a) compensation could not be awarded under the DPA for loss of control over personal data without proof that it had caused financial damage or distress and (b) the claim should not proceed as a representative action.

The High Court ruled in favour of Google.  The Court of Appeal reversed that decision.  Google appealed to the Supreme Court.

What did the Supreme Court decide?

The Supreme Court unanimously ruled in Google’s favour, for the following reasons:

• “Damage” in section 13(1) does not extend to “loss of control” over personal data. To succeed in a claim under section 13(1) it is necessary to prove that class members individually suffered financial loss or distress.
• The court needs to consider the extent of the damage for each class member: how were people affected, for how long, in relation to what sort of data? Without that evidence, it would be impossible to conclude that the damage was more than trivial and therefore there would be no right to compensation.

In conclusion, the requirement that the claims were identical in terms of the compensation sought was not met so the action against Google was “doomed to fail”.

What are the practical implications?

This is an important decision which effectively closes the door on the use of the representative action procedure to bring data breach class actions under section 13 of the DPA, which will be a relief to many businesses.  However, the door has been left ajar for other data breach and consumer class actions to be brought on a representative basis for the reasons outlined below.

• Representative actions – if claims require no individual assessments of compensation (e.g. all class members have been wrongly charged a fixed fee, or the same product has been supplied to all the class members suffering from the same defect which reduced its value by the same amount) then the representative action procedure may be used.
• Two-stage representative actions – if claims require individual assessments of compensation then the representative action procedure may be used on a two-stage basis.  A declaration from the court may be sought on liability, leaving class members to pursue individual claims for compensation.  Although success in the liability stage would not of itself generate any financial return for the litigation funders, the market may adapt so that sufficient returns can be made overall for this to be a financially viable option.
• Representative actions under different data protection legislation – the issues in this case were considered in the context of the Data Protection Act 1998.  It is possible that the same or similar arguments may succeed in relation to the different wording of the UK GDPR and the Data Protection Act 2018, or under the alternative regime of the misuse of private information.

How can we help?

This is a fast moving area of the law with significant financial and reputational implications for businesses.  If you would like advice on defending data breach or other consumer claims, please speak to a member of our Commercial Disputes team below.