The Supreme Court has today comprehensively dismissed Mr Lloyd’s representative (opt-out) action brought against Google in connection with the Safari Workaround. The decision addressed two key questions:

• Can compensation for “loss of control” be awarded under the old Data Protection Act 1998 without evidence of damage or distress? No. The Court decided that interpreting “damage” under the Act to include a pure “loss of control” claim was untenable.
• Is a representative action a suitable vehicle for claims such as these? The Court was broadly encouraging of the use of representative actions in seeking, for example, declaratory relief going to questions of liability. The Court was also open, in principle, to their use in the pursuit of damages where certain types of uniform per claimant damages are sought, but not in situations such as this case, where an individualised assessment of damages is required.

The Supreme Court also considered the proposal to bring claims on a “lowest common denominator” basis. The Court could not see that the facts which Mr Lloyd aimed to prove in each individual case were sufficient to surmount any threshold of seriousness (which on his own case had to be crossed before a breach of the 1998 Act would give rise to an entitlement to compensation).

The judgment will be welcome news to most businesses. Together with the decisions in Rolfe and Warren (discussed below), it is likely significantly to curb some of the momentum that had been building around potential scope for opt-out claims in data breach cases.

There are still some unanswered questions though. Notably, the Court confined itself to commenting on the position under the 1998 Act and declined to be drawn into discussing the UK GDPR - leaving the position there potentially unclear. And the precise scope of those cases where the class has suffered uniform damage or distress (in relation to which the Court indicated a representative action for damages could still be pursued) is also potentially unclear. Finally – and entirely unsurprisingly – we are still no closer to identifying the benchmark for compensation awards in data breach type cases, where some sort of damage or distress can be shown.

Background

This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without an individual’s knowledge or consent. This was a breach of privacy laws by Google for which it was fined by US regulators.

Mr Lloyd launched a representative action against Google for this breach. The use of a representative action is important as it is a form of “opt-out” litigation - the claim is made on behalf of everyone who is a member of a particular class of claimant unless they opt out. It contrasts with a Group Litigation Order which is “opt-in” and requires individual claimants to decide to become parties to the litigation.

This opt-out structure meant Mr Lloyd’s claim was made on behalf of the more than four million affected individuals in England and Wales. Mr Lloyd suggested each claimant should receive approximately £750 compensation each, which would indicate a total potential liability for Google of up to £3 billion.

However, in order to bring a representative action, each class member must have the “same interest” in the claim. This means any compensation sought on behalf of each claimant needs to be the same. And this requirement led Mr Lloyd to argue that compensation should be available under the 1998 Act for a mere “loss of control” of personal data, without proof of any (further) damage or distress. In this way Mr Lloyd was able to frame his claim as one for a uniform per capita sum for each member of the class without reference to their individualised circumstances and based on a “lowest common denominator”. For the reasons set out below, this ultimately proved fatal to the claim.

The judgment in more detail – The claim for “loss of control”

The Supreme Court confirmed that there were a number of potential claims that could be advanced in relation to the “Safari Workaround”. Mr Lloyd could personally have:

• claimed damages for distress under the old Data Protection Act 1998; or
• claimed compensation for misuse of private information without the need to show any material damage or distress.

However, he chose not to advance either claim. As the Court noted, evidencing distress, or establishing that the affected individuals had a reasonable expectation of privacy (as required to make out a misuse of private information claim), would require an individualised assessment of the position of each member of the class, which was incompatible with the “same interest” requirement. Such claims could not, therefore, be brought by way of a representative action.

Instead, Mr Lloyd argued the courts could award compensation for “loss of control” of data under section 13 of the old Data Protection Act 1998 without the need to show material damage or distress. The Supreme Court rebuffed this suggestion in robust terms:

• based on a purely domestic interpretation of section 13, this reading was untenable;
• there was no requirement under EU law to interpret the law to allow for “loss of control” compensation. No authority was cited to the Court to support this broader interpretation; and
• the argument that “loss of control” compensation should be available under the old Data Protection Act 1998 because it shares a “common source” with the tort of misuse of private information were misplaced. There were significant differences between the two such that no analogy could be properly drawn.

The Supreme Court noted that a claim such as this, relating to the Safari Workaround, would naturally lend itself to an award of “user damages” if it had been framed as a claim for misuse of private information. User damages involves assessing what fee a reasonable person would pay to use the personal data in question and using that to inform the level of damages awarded (see OneStep v Morris-Garner [2018] UKSC 20). Where a defendant’s very purpose in wrongfully obtaining and using personal information is to exploit its commercial value, the Court should not be “prissy” about awarding such compensation. However, this was not relevant here as user damages are not available for breach of the old Data Protection Act 1998.

The judgment in more detail – The use of representative actions

Mr Lloyd’s claim failed comprehensively on the points above, but the Supreme Court was broadly encouraging of the use of representative actions in appropriate cases.

Here it noted that the development of digital technologies has added to the potential for mass harm for which legal redress may be sought, and the need in such cases to reconcile, on the one hand, the inconvenience or complete impracticality of litigating multiple individual claims with, on the other hand, the inconvenience or complete impracticality of making every prospective claimant party to a single claim. The Court acknowledged that, in such cases, the only practical way to “come to justice” is to combine claims into a single proceeding and allow one or more persons to represent all others who share the same interest in the outcome: “it is better to go as far as possible towards justice than to deny it altogether”.

Whilst a detailed legislative framework would be preferable, the Court said its absence (outside the field of competition law) was no reason to interpret the representative rule restrictively. In relation to this, the Court made a number of points of interest:

• Representative actions can include a claim for damages or some other form of monetary relief provided that no individualised assessment is needed – i.e. if the entitlement to damages can be calculated on a basis that is common to all members of the class. Examples given were of a claim that alleged every member of the class was wrongly charged a fixed fee, and a claim alleging that all the class members acquired the same product with the same defect which reduced its value by the same amount.
• Scope for a bifurcated process: The Court noted that where damages required an individualised assessment, there could be advantages in establishing a bifurcated process where the first stage is a representative action to decide common issues of fact or law, leaving any issues which require individual determination – whether relating to liability or the amount of damages – to be dealt with at a subsequent stage of proceedings. Query however, the fundability of such a structure.
• Class definition and identification of the class: Whilst Emerald Supplies Ltd v British Airways Plc [2010] EWCA Civ 1284 illustrated the general principle that membership of the class should not depend on the outcome of the litigation, the decision as to whether any practical difficulties in identifying class members are material must, the Court said, depend on the nature and object of the proceedings. On the facts, the Court said that “even if only a few individuals were ultimately able to obtain compensation on the basis of a declaratory judgment”, it could not see why that should provide a reason for refusing to allow a representative claim to proceed for the purpose of establishing liability.
• Distribution of money: The Court noted that the recovery of money in a representative action could give rise to problems of distribution, including the legal basis for paying part of the damages to litigation funders without the consent of the members of the class. However, as these matters were only touched on in argument, the Supreme Court chose not to address them.

The judgment in more detail – Practical implication of a “lowest common denominator” claim

On the issue of the “lowest common denominator”, the Court was prepared to assume, without deciding, that as a matter of discretion the Court could, if satisfied it was appropriate, allow a representative claim to be pursued for only a part of the compensation that could potentially be claimed by any given individual.

The Court recognised, however, that in the present case, the “lowest common denominator” would be an individual who only visited a website participating in Google’s DoubleClick network on one occasion and who never visited another website that was part of that network during the relevant period. Accordingly, the “lowest common denominator” user was someone whose internet usage – apart from one visit to a single website – was not illicitly tracked and collated and who received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.

It is difficult to see how, with the bar set so low, any such claim could be anything other than worthless. The Supreme Court concluded that this “lowest common denominator” approach would not surmount the threshold of seriousness which on Mr Lloyd’s own case had to be crossed to support a claim under the old Data Protection Act 1998. Similarly, in relation to any claim for “user damages”, it decided that a licence given to Google to place cookies on the user’s browser but then not use any information about their subsequent browsing history would not have any value.

Rolfe, Warren and the wider breach compensation industry

The decision comes off the back of two other recent decisions on data breach claims that may also discourage some data breach claimants.

In Warren v DSG Retail Ltd [2021] EWHC 2168, Mr Warren claimed £5,000 from DSG Retail following a hack on their sales terminals. The High Court dismissed claims for: (i) breach of confidence and misuse of private information on the basis they require positive wrongful conduct and there was no positive action by DSG Retail to misuse the information; and (ii) negligence on the basis there is no duty of care in negligence in respect of conduct covered by data protection law.

Mr Warren can continue to claim compensation under data protection law, but this raises a potentially significant procedural problem. Success fees and ATE insurance premiums cannot generally be recovered in connection with claims under the Data Protection Act 1998. Given Mr Warren’s ATE premium is reported to be significantly greater than the value of his claim, this suggests his claim is not economic.

In Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809, a law firm sent an email to Mr & Mrs Rolfe demanding payment of outstanding school fees. Unfortunately, the email address was mistyped, and so the email was sent to another parent. The law firm immediately contacted the other parent who deleted the message. However, Mr & Mrs Rolfe decided to bring an action in the High Court alleging breach of confidence, misuse of private information, negligence and breach of the UK GDPR.

The claim failed. The Court concluded there was no evidence of any damage or distress over a de minimis threshold, dismissed the claim and, in light of the Part 36 offer made by defendants, ordered costs to be assessed on an indemnity basis (with an interim payment to be made of £11,000). Master McCloud stated: “There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially … in the High Court) for breaches of this sort which are, frankly, trivial”.

What next?

The judgment is undoubtedly a blow to claimant law firms and funders and good news for businesses. There remain, however, some unanswered questions and it will be interesting to see what appetite if any there may be on the claimant side to test them. In particular:

• GDPR claims: The Supreme Court’s judgment does not directly address the position under the UK GDPR. There are several outstanding CJEU references that could extend the scope of compensation under the EU GDPR and the UK Courts “may have regard” to those decisions when interpreting UK law (section 6(2), European Union (Withdrawal) Act 2018).
• Uniform effects: In light of the judgment, it is difficult to see how claims for damages in data breach cases can easily avoid the individualised assessment that is now the death knell to a representative claim (as the effect is likely to vary from individual to individual). But claimant firms and funders will be thinking hard about what claims - in particular outside of the data protection sphere - might lend themselves to a claim for uniform damages, so that they may still be pursued as a more profitable opt-out claim.
• Revised class definitions: There may be scope in some cases to change the class definition in an effort to achieve an actual and uniform effect – i.e. rather than claim for all affected members, the claimants might just claim for a sub-class or even create tiers of classes. Indeed, the Court indicated that where there were different groups of people in relation to whom different issues arose, provided there was no conflict between them, two or more representative claims could be brought and combined in the same action.
• Quantum: Whilst there is no claim for loss of control under the 1998 Act, it remains unknown what the value of data breach type claims may be, where some material damage and/or distress can be shown, for example in a Group Litigation Order opt-in context. This issue was not before the Supreme Court but the Court’s robust views on “lowest common denominator”, together with the High Court’s comments in Rolfe, may discourage the pursuit of less serious breaches. It also suggests any suggestion that the starting figure for compensation for a data breach is £750, regardless of its seriousness, is fanciful.

Linklaters acted for the fifth intervener, the Internet Association, together with Christopher Knight of 11KBW.