Last November privacy lawyers around the world awaited with bated breath, as the Supreme Court’s determined the outcome of Lloyd v Google. Had Lloyd won, the UK would have had the toughest data protection regime in the world, creating a union between the already comprehensive UK GDPR regime, and introducing an opt-out US-style class action regime. This would have significantly impacted businesses and organisations of all sizes. Despite the court’s ruling in favour of Google, privacy experts, compliance managers and lawyers alike, have been unable to breathe a real sigh of relief, due to this ruling raising fundamental questions relating to what this means for the future.
UK Data Protection: A brief History
The two main forms of data protection legislation in the UK are the Data Protection Act 2018 (replacing the DPA 1998) and the UK GDPR 2020 (previously the EU GDPR). The key differences include (amongst other things):
- GDPR states an individual has right not to be subject to automated decision making and profiling where as the DPA allows for this where commercial needs justify it.
- The GDPR ensures all data-subjects have rights in relation to the processing of their personal data (creating requirements for companies to notify and obtain consent before storing and processing the personal data of individuals).
- The GDPR allows for non-material damages whereas the DPA requires that damages can only be obtained where a claim can be made for pecuniary damages or distress.
Lloyd v Google is concerned with the DPA by virtue of when the breach occured (2011/2012). But it’s important to recognise the distinction.
A representative action is a form of class action where a few represent the many. It’s more colloquially known as an opt-out action, those affected are automatically considered to be part of the class action unless they expressly opt-out.
Lloyd v Google, was primarily concerned with Google’s ‘Safari Workaround’, a workaround that allowed the big tech company to place cookies on users’ devices without having to obtain their consent. These cookies allowed Google to follow user’s behaviours and curate targeted ads. This is widely considered an egregious violation of user’s privacy rights, and the big tech company was fined by US regulators (although the UK Information Commissioner took no action).
Lloyd issued a representative action (under Rule 19.6 of the Civil Procedure Rules), on behalf of the 4 million IPhone users in the UK, for a claim of £3billion (roughly £750 per iPhone user).
In order for a representative action to be successful, all members of the class must have the same interests in the claim, including in the relief sought. This is crucial because it means a claim for distress could not be made under a representative action, because the distress this privacy violation would have caused iPhone users would differ, depending on the behaviours tracked and the activities they may have been involved in. The courts made reference to super users - these are users who would have undoubtedly had more information tracked, by virtue of having higher levels of internet access to track than other users in the group.
Subsequently, Lloyd argued that compensation should be made available, due to the loss of control this infringement caused. To ensure this loss of control was uniform, Lloyd applied to the lowest common denominator approach, meaning that the compensation would be the same for all users.
This approach was criticised for being ‘doomed to fail’. The courts stated that under the old data protection legislation (Data Protection Act 1998) a claimant needs to show pecuniary damages or distress. In the absence of this, the claim could not be successful. The courts considered this to be a simple case of statutory interpretation, if you consider the will of parliament in their construction of section 13 of the DPA, this claim was simply ‘untenable’. Some commentators argued that this claim should have been allowed when considering the DPA in conjunction with the Misuse of Private Information laws, but the courts rejected this also, outlining these legislations were simply too different to be applied in conjunction.
Are representative actions viable?
‘It is better to go as far as possible towards justice than to deny it altogether’ Lord Leggatt
The courts did comment on the use of opt-out representative actions, with some support. They outlined that these types of actions could be utilised to pursue cases that included damages, regarding these damages did not require an individualised assessment. Commentators have since speculated whether this would ever make representative actions appropriate for privacy actions.
In their discussion of future cases, the courts said that Lloyd’s ‘lowest common denominator approach’ meant that any possible award of damages would be so insignificant they could not surpass the level of triviality laid out within the DPA to make the action enforceable. Raising the question, what level of damages would you need for a representative action to succeed? The examples proposed, have included situations where a group of individuals have all been charged an incorrect fixed fee or where they have all received a defective product. This has led to the contemplation of whether this type of claim would ever be feasible following a data breach.
The courts and their discussion of the parameters of future representative actions
Same interest: this needs to be interpreted through the lens of the overall objective of representative actions, providing a solution to cases where there are multiple claimants, whilst ensuring this is done in a manner that is efficient and economical. This is only plausible regarding there are no conflicts of interest within the class.
Identification of class members: The courts outlined that any practical difficulties in identifying the class members should be considered by the courts when assessing whether a representative action can proceed within the courts. In the case of Lloyd v Google it was determined that the ability for only a few claimants to be able to recuperate damages should not in itself act as a reason to deny the claim from proceeding.
Distribution of compensation: The courts did reference potential difficulties relating to the distribution of compensation, and whether there is legal basis for part of this compensation going towards litigation funders where not all members of the class have consented to this. This is something that was discussed only briefly by the courts, and experts in this area propose this is a question that may be discussed in the future.
What does this mean for the future for opt-out claims in the context of data breaches?
Whilst it would be easy to conclude that this ruling means the death of opt-out cases in the UK, many believe Lloyd v Google isn’t the ending of the saga that is representative actions making their way to the UK courts.
Interestingly the courts made no comment on whether this outcome would have been same for the current UK GDPR, and many critics have begun to question whether this opens the door for a potential future successful claim. Could a representative claim under the UK GDPR be successful? This more recent data protection legislation does provide potential for compensatory damages for both material and non-material damages, what this means for future cases, is both still in discussion and beyond the scope of this article, but it raises an important question that should be explored by anyone with interest in this area.
The Supreme Court did discuss the scope for a Bifurcated approach to group representative actions. This is an approach that utilises a representative action to establish the facts and liability within a claim, before taking an individualised approach when establishing damages. Commentators have questioned this approach simply on the basis of economic considerations. Representative actions often rely on a litigation funder and the question is raised, what is the economic advantage for a funder in instances where damages are then assessed on an individual basis?
The alternative to a representative action is a Group Litigation Order, differing on the participation of the class. Under Group Litigation Orders, participants must opt-in, often posing the challenge of individuals actively opting in. This type of action is made possible under rules 19.11 and 19.12 of the CPR.
It can be confidently presumed that there won’t be an influx of representative actions any time soon, but it will be fascinating to observe existing claims (those commencing before the Lloyd v Google ruling) that are instead concerned with the GDPR. Furthermore, anyone interested in privacy law should keep their eyes peeled for funders willing to undertake the bifurcated approach suggested by the courts.