In Lloyd v Google, the Supreme Court denied claims for mere 'loss of control' and ruled against mass class actions for data claims. Here, Philip Tansley and Matthew MacLachlan consider the court's reasoning and the broader implications for such claims.
In its landmark judgment today, the Supreme Court unanimously held that a representative class action brought on behalf of approximately 4.4 million iPhone users said to have been affected by Google’s “Safari workaround” could not proceed.
The judgment has significant implications for the future development of collective actions and data/privacy litigation in England and Wales.
In summary, the court found that:
In order for the representative claim to proceed, the claimant had to show that all prospective claimants had the “same interest”. In this case, the claimants did not have the same interest because, although the alleged breaches of the Data Protection Act 1998 (DPA) — the predecessor of the current DPA 2018 — were the same, the quantum of their claims for damages under section 13 would be different. Damages would depend on the length of time of the contravention, the quantity/sensitivity of data affected and the commercial benefit derived by Google, which would be different in each case. However, the court did leave the door open to similar claims by acknowledging the claim could have proceeded if it had simply sought a declaration that Google’s conduct breached the DPA, leaving the claimants’ rights to damages to be assessed in separate proceedings.
The claimant had attempted to address the requirement that the claimants had the same interest by arguing that they all had “lowest common denominator” claims for loss of control of their personal data. The court rejected this submission. It considered that the right to damages under the DPA only arose where the claimants could show material financial loss or distress. Although damages were recoverable per se in the tort of Misuse of Private Information (MPI), the same could not be said of DPA claims as the nature of the liability was fundamentally different and the basis for establishing liability in MPI claims was more challenging in other respects (i.e. it was necessary to prove on an individual basis a reasonable expectation of privacy and a positive act of misuse by the defendant).
A lot of businesses will be breathing a huge sigh of relief after this judgment as there was widespread concern that, if the Supreme Court followed the Court of Appeal’s decision, it would lead to a tidal wave of claims, not just against tech giants but also against many ordinary businesses which had suffered data breaches or had inadvertently breached data laws in other ways.
However, this is not necessarily the end of the story:
It remains to be seen whether claimant firms and litigation funders will simply switch their approach and seek to bring similar claims in two stages (firstly as collective claims for declarations of liability, then secondly as separate individual claims for damages). Whilst the judgment and a lot of early commentary suggests that this may make such claims unattractive to litigation funders, how claimant firms will react is difficult to assess at this stage. We also note in the US, it is common for data claims to settle once liability has been established without the need for a second stage of litigation as it is unattractive for all concerned to have to deal with a large number of individual quantum claims.
Claimants may also turn their attention back to MPI claims given the right to compensation in the absence of a viable damages claim. However, MPI claims will not be viable for many as it is difficult to show a reasonable expectation of privacy and, in many cases such as data breaches, it is not possible to identify a positive act by the data controller which would form the basis of a MPI claim (see our recent note on Warren v DSG).
There is some helpful guidance regarding the standard of care applying to data controllers who are the subject of DPA claims and, by analogy, claims under the DPA 2018/UK GDPR. The court noted that claims brought for breach of the requirement under Article 5(1)(f) of the UK GDPR (implementation of appropriate technical or organisational measures) and/or exercising the defence under section 13(3) DPA and, by analogy, defences under Article 82(3) UK GDPR require the demonstration of failures “similar to” negligence rather than a higher standard of care, which is often alleged by claimants. This will be important guidance for clients who are facing claims arising from incidents such as data breaches.
The implications of the judgment should become clearer over the next few weeks. Watch this space for our further thoughts on specific aspects of the case and its implications.
To discuss this or any similar issues, please contact Philip Tansley or Matthew MacLachlan.