Series
Blogs
UK: Lloyd v Google – Game over for privacy class actions?
UK: Lloyd v Google – Game over for privacy class actions?
10 November 2021
Series
Blogs
10 November 2021
The Supreme Court has today comprehensively dismissed Mr Lloyd’s representative (opt-out) action brought against Google in connection with the Safari Workaround. The decision addressed two key questions:
The Supreme Court also considered the proposal to bring claims on a “lowest common denominator” basis. The Court could not see that the facts which Mr Lloyd aimed to prove in each individual case were sufficient to surmount any threshold of seriousness (which on his own case had to be crossed before a breach of the 1998 Act would give rise to an entitlement to compensation).
The judgment will be welcome news to most businesses. Together with the decisions in Rolfe and Warren (discussed below), it is likely significantly to curb some of the momentum that had been building around potential scope for opt-out claims in data breach cases.
There are still some unanswered questions though. Notably, the Court confined itself to commenting on the position under the 1998 Act and declined to be drawn into discussing the UK GDPR - leaving the position there potentially unclear. And the precise scope of those cases where the class has suffered uniform damage or distress (in relation to which the Court indicated a representative action for damages could still be pursued) is also potentially unclear. Finally – and entirely unsurprisingly – we are still no closer to identifying the benchmark for compensation awards in data breach type cases, where some sort of damage or distress can be shown.
This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without an individual’s knowledge or consent. This was a breach of privacy laws by Google for which it was fined by US regulators.
Mr Lloyd launched a representative action against Google for this breach. The use of a representative action is important as it is a form of “opt-out” litigation - the claim is made on behalf of everyone who is a member of a particular class of claimant unless they opt out. It contrasts with a Group Litigation Order which is “opt-in” and requires individual claimants to decide to become parties to the litigation.
This opt-out structure meant Mr Lloyd’s claim was made on behalf of the more than four million affected individuals in England and Wales. Mr Lloyd suggested each claimant should receive approximately £750 compensation each, which would indicate a total potential liability for Google of up to £3 billion.
However, in order to bring a representative action, each class member must have the “same interest” in the claim. This means any compensation sought on behalf of each claimant needs to be the same. And this requirement led Mr Lloyd to argue that compensation should be available under the 1998 Act for a mere “loss of control” of personal data, without proof of any (further) damage or distress. In this way Mr Lloyd was able to frame his claim as one for a uniform per capita sum for each member of the class without reference to their individualised circumstances and based on a “lowest common denominator”. For the reasons set out below, this ultimately proved fatal to the claim.
The Supreme Court confirmed that there were a number of potential claims that could be advanced in relation to the “Safari Workaround”. Mr Lloyd could personally have:
However, he chose not to advance either claim. As the Court noted, evidencing distress, or establishing that the affected individuals had a reasonable expectation of privacy (as required to make out a misuse of private information claim), would require an individualised assessment of the position of each member of the class, which was incompatible with the “same interest” requirement. Such claims could not, therefore, be brought by way of a representative action.
Instead, Mr Lloyd argued the courts could award compensation for “loss of control” of data under section 13 of the old Data Protection Act 1998 without the need to show material damage or distress. The Supreme Court rebuffed this suggestion in robust terms:
The Supreme Court noted that a claim such as this, relating to the Safari Workaround, would naturally lend itself to an award of “user damages” if it had been framed as a claim for misuse of private information. User damages involves assessing what fee a reasonable person would pay to use the personal data in question and using that to inform the level of damages awarded (see OneStep v Morris-Garner [2018] UKSC 20). Where a defendant’s very purpose in wrongfully obtaining and using personal information is to exploit its commercial value, the Court should not be “prissy” about awarding such compensation. However, this was not relevant here as user damages are not available for breach of the old Data Protection Act 1998.
Mr Lloyd’s claim failed comprehensively on the points above, but the Supreme Court was broadly encouraging of the use of representative actions in appropriate cases.
Here it noted that the development of digital technologies has added to the potential for mass harm for which legal redress may be sought, and the need in such cases to reconcile, on the one hand, the inconvenience or complete impracticality of litigating multiple individual claims with, on the other hand, the inconvenience or complete impracticality of making every prospective claimant party to a single claim. The Court acknowledged that, in such cases, the only practical way to “come to justice” is to combine claims into a single proceeding and allow one or more persons to represent all others who share the same interest in the outcome: “it is better to go as far as possible towards justice than to deny it altogether”.
Whilst a detailed legislative framework would be preferable, the Court said its absence (outside the field of competition law) was no reason to interpret the representative rule restrictively. In relation to this, the Court made a number of points of interest:
On the issue of the “lowest common denominator”, the Court was prepared to assume, without deciding, that as a matter of discretion the Court could, if satisfied it was appropriate, allow a representative claim to be pursued for only a part of the compensation that could potentially be claimed by any given individual.
The Court recognised, however, that in the present case, the “lowest common denominator” would be an individual who only visited a website participating in Google’s DoubleClick network on one occasion and who never visited another website that was part of that network during the relevant period. Accordingly, the “lowest common denominator” user was someone whose internet usage – apart from one visit to a single website – was not illicitly tracked and collated and who received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.
It is difficult to see how, with the bar set so low, any such claim could be anything other than worthless. The Supreme Court concluded that this “lowest common denominator” approach would not surmount the threshold of seriousness which on Mr Lloyd’s own case had to be crossed to support a claim under the old Data Protection Act 1998. Similarly, in relation to any claim for “user damages”, it decided that a licence given to Google to place cookies on the user’s browser but then not use any information about their subsequent browsing history would not have any value.
The decision comes off the back of two other recent decisions on data breach claims that may also discourage some data breach claimants.
In Warren v DSG Retail Ltd [2021] EWHC 2168, Mr Warren claimed £5,000 from DSG Retail following a hack on their sales terminals. The High Court dismissed claims for: (i) breach of confidence and misuse of private information on the basis they require positive wrongful conduct and there was no positive action by DSG Retail to misuse the information; and (ii) negligence on the basis there is no duty of care in negligence in respect of conduct covered by data protection law.
Mr Warren can continue to claim compensation under data protection law, but this raises a potentially significant procedural problem. Success fees and ATE insurance premiums cannot generally be recovered in connection with claims under the Data Protection Act 1998. Given Mr Warren’s ATE premium is reported to be significantly greater than the value of his claim, this suggests his claim is not economic.
In Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809, a law firm sent an email to Mr & Mrs Rolfe demanding payment of outstanding school fees. Unfortunately, the email address was mistyped, and so the email was sent to another parent. The law firm immediately contacted the other parent who deleted the message. However, Mr & Mrs Rolfe decided to bring an action in the High Court alleging breach of confidence, misuse of private information, negligence and breach of the UK GDPR.
The claim failed. The Court concluded there was no evidence of any damage or distress over a de minimis threshold, dismissed the claim and, in light of the Part 36 offer made by defendants, ordered costs to be assessed on an indemnity basis (with an interim payment to be made of £11,000). Master McCloud stated: “There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially … in the High Court) for breaches of this sort which are, frankly, trivial”.
The judgment is undoubtedly a blow to claimant law firms and funders and good news for businesses. There remain, however, some unanswered questions and it will be interesting to see what appetite if any there may be on the claimant side to test them. In particular:
Linklaters acted for the fifth intervener, the Internet Association, together with Christopher Knight of 11KBW.