Landmark Supreme Court Judgment leaves Google “Feeling Lucky”
Google’s homepage still encourages internet users to search for information by clicking the “I’m Feeling Lucky” button. That phrase surely sums up the mood in the camp at Google after the Supreme Court refused to grant Mr Lloyd permission to serve a £3 billion representative claim on Google in Delaware. Google, along with other large data controllers, will be breathing a huge sigh of relief.
This article was first published in Solicitors Journal: Lloyd v Google: A landmark Supreme Court judgment.
The decision is undoubtedly a setback for claimants, and their lawyers, in the developing field of “opt-out” data protection group claims. The alternative “bifurcated approach” suggested by the Supreme Court is outlined below, and raises many practical difficulties which could ultimately render it unviable.
However, the complex judgment does include some interesting nuggets about the judicial approach to both data protection claims and to representative actions more generally. Accordingly, while the door for such claims has not been swung open in the way that some corners (including the Information Commissioner) may have hoped, the door certainly remains ajar for future data protection group claims.
The claim arises out of the so-called “Safari Workaround”, which is said to have allowed Google to bypass Safari’s cookie settings and secretly track the internet activity of millions of iPhone users. Google is alleged to have used the data it harvested from the workaround for commercial purposes without the consent or knowledge of the iPhone users.
The facts giving rise to the claim are well-documented and have led Google to pay hefty civil penalties and settle consumer actions in the US. No redress has yet been obtained on behalf of the more than 4 million iPhone users in England and Wales who claim their data was illegally stolen and commercialised. Mr Lloyd, a former director of the consumer group Which?, had hoped to rectify this. He sought to make innovative use of the representative procedure provided for by CPR 19.6 and act as the class representative for each and every iPhone user affected in England and Wales on an ‘opt-out’ basis.
The Supreme Court Judgment
A path for finding in favour of Mr Lloyd had been paved by Vos LJ in the Court of Appeal. Google successfully appealed to the Supreme Court, who held that:
- Damages for breaches of section 13 of Data Protection Act 1998 (“DPA”) for “loss of control” of data could not be awarded unless there was proof that the relevant breach had caused material financial damage or distress. The Supreme Court held that it would not be appropriate to award damages for an infringement of the right in and of itself (as is permitted in claims arising from the tort of misuse of private information) because this would be contrary to the construction of the DPA 1998, and also because of material differences between the two regimes; and
- It was not appropriate for Mr Lloyd to pursue the claim using the representative procedure under CPR 19.6. This is because the claim, as formulated, would require an individual assessment of damages on a claimant by claimant basis, thus taking it outside the scope of CPR 19.6. Each iPhone user would have suffered different losses depending on the amount of data harvested by Google and the nature of that data (i.e. whether it was particularly sensitive or private). Even if the claimants were entitled to user damages akin to those awarded in misuse of private information claims (i.e. damages calculated by reference to a notional licence fee payable to each claimant by Google), these user damages would also need to be calculated on a claimant by claimant basis. The court rejected Mr Lloyd’s argument that each claimant should be awarded ‘lowest common denominator’ damages of £750 because, even if such user damages were permitted (which the court denied), the damage set out in the claimant’s pleadings would not pass the de minimis threshold.
The Bifurcated Approach
In the judgment, the court acknowledged the various shortcomings of the representative regime under CPR 19.6, and expressed its preference for these shortcomings to be addressed by parliament. In the intervening period pending any such legislative reform, the Court suggested that Mr Lloyd’s claim (and its equivalents) should be pursued using a bifurcated approach. Under the bifurcated approach, Mr Lloyd should first issue proceedings to establish liability on the part of Google, following which individual claimants could issue secondary proceedings to determine their individual damages.
While it is commendable that the court attempted to provide Mr Lloyd with the alternative bifurcated solution, there are many practical difficulties which may render the approach unfeasible. For example, such an approach is likely to be unattractive to litigation funders, without whom most group claims would not get off the ground. Funders would be required to commit their capital for a longer period of time (i.e. for two sets of proceedings rather than one) in circumstances where they would not receive a direct return from the first proceedings, even if successful.
Further, in claims like Lloyd v Google, where the collective loss is substantial but the individual loss small, separate secondary claims to assess individual loss are unlikely to be cost-effective. While it is theoretically possible that such secondary claims could be pursued on an “opt-out” basis (assuming the claimants can be split into sufficiently large classes), the court raised an open question about the recoverability of litigation funding premiums in “opt-out” class actions given that individual claimants would not have consented to the funding terms.
Notwithstanding the difficulties highlighted above, the judgment does not mean that all group claims for breaches of data protection are now dead in the water.
The claim in Lloyd v Google relates to the law set out in the DPA 1998. That law is no longer in force, and the court specifically declined to be drawn on whether the claim would stand under the DPA 2018 and GDPR (noting that, unlike the DPA 1998, article 82 of the GDPR permits compensation for non-material damage).
In addition, while the claimants in this case did not seek to bring a claim under the tort of misuse of private information (presumably because of the requirement to establish a legitimate expectation of privacy, which may have been difficult given the varied browsing history of the class), it is not inconceivable that such an “opt-out” group claim could arise under different circumstances. For example, in circumstances where there is a sufficiently large group of individuals who have been the victims of a data breach relating to data which is undoubtedly private (e.g. medical records). In this regard, it is notable that the court declined to uphold Google’s argument that Mr Lloyd, as self-appointed class representative, could not seek damages on a “lowest common denominator basis” as he did not have authority to waive major parts of any individual claimants damages. The court’s position on this is interesting because it provides a potential work-around to the individual assessment of damages problem which proved to be a significant stumbling block for Mr Lloyd.
Finally, it is worth noting that Mr Lloyd’s claim may not have stumbled on the individual assessment of damages point had it concerned anti-competitive behaviour and been heard before the Competition Appeal Tribunal (“CAT”). The CAT has the power to award damages to groups on an aggregate basis, and does not have to involve itself directly in the mechanics of how such damages are shared (provided it is satisfied that the chosen mechanism is “just”). This being so, had the claim been framed as an abuse by Google of its dominant position, the outcome may have been very different. This is certainly food for thought for future claimants, and may well lead to renewed calls for the CAT regime to be rolled out to all sectors.
Caroline Harbord is a Senior Associate and Nick Owen an Associate in the Commercial Disputes team here at Forsters LLP.