Background to the claim
In this case, Mr. Lloyd alleged that, between August 2011 and February 2012, Google placed DoubleClick advertising tracking cookies on iPhones via the Apple ‘Safari’ browser without the consent of the iPhone user. The claimant alleged that the cookies were able to collect and aggregate considerable information about the affected individuals for the purposes of targeting advertisements.
Mr. Lloyd brought a claim against Google not only on behalf of himself but also on behalf of over four million individuals he claimed were affected by Google’s alleged activities and sought to serve the claim on Google out of the jurisdiction in Delaware.
The key legal points
The most interesting points in Lloyd’s claim were the following:
1) Lowest common denominator approach
First, he argued that under the Civil Procedure Rules, a representative action can be brought pursuant to CPR 19.6. This allows a claim to be brought by (or against) one or more persons as representatives of others who have the “same interest” in the claim. The claim can be brought on an opt-out basis, that is, there is no need for an individual to agree to be part of the claim in order to be represented in it. Lloyd argued that the court could therefore award damages to each individual represented by applying what the Court of Appeal described as the “lowest common denominator” approach, namely that each individual represented would receive in damages the amount due to the person least affected (in this case, Lloyd suggested the sum of £750 per person). Lloyd made this concession in order to be able to argue that all claimants had sustained the same loss. We have also subsequently seen various law firms and individuals in separate cases cite £750 as a purported magic number of what can be awarded by way of compensation.
2) Damages for “loss of control”
Second, Lloyd argued that under section 13 of the Data Protection Act 1998 (DPA 1998) (the applicable law at the time of Google’s alleged actions), damages could be awarded for the mere “loss of control” of data, even where no pecuniary loss (or distress) had occurred.
Google was successful in the High Court in 2018, but the first instance decision was overturned by the Court of Appeal in 2019, which held that Mr. Lloyd should be permitted to serve his claim on Google.
The Supreme Court judgment
The Supreme Court held last week that:
- Section 13 of the DPA 1998 “cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject,” and further, “the term ‘damage’ as it is used in section 13 does not include ‘distress.’”
- Neither damages for “loss of control” of data without any material damage or distress, nor “user damages” (which involve assessing what a user would have paid to use the rights – the usual way to assess damages in intellectual property disputes) are available in claims under section 13 of the DPA 1998. They may, however, still apply where claims rely upon the tort of misuse of private information.
- The “lowest common denominator” approach was not appropriate in this case. “Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.”
As a result, the court ruled that Lloyd’s proposed representative action against Google could not be served on Google.
Key practical takeaways and future implications
This is, of course, a significant change from the previous Court of Appeal ruling and will inevitably be cited in many claims and as a defence to claims to come.
It is worth remembering, however, that this case concerned a procedural action to serve Google out of jurisdiction and, most significantly, that it concerned an alleged breach of the former DPA 1998 which has been repealed and replaced by the new Data Protection Act 2018 (DPA 2018) which has different wording. While many have been quick to cite the new judgment, it is important to factor in the nuances in determining the potential future impact it may have.
In general, however, despite the differences, the findings do seem to offer more arguments for pushing back on claims relating to low-level data breaches and may mean that the number of claims of this kind will decrease.
The key takeaways are as follows:
- Trivial claims are excluded
Claims for trivial and de minimis breaches are excluded under data protection legislation.
Even though this case concerned the DPA 1998, the decision is consistent with the direction of travel that the courts in this area are taking. In particular, the High Court recently ruled in Rolfe & Ors v. Veale Wasbrough Vizards LLP that, in relation to claims under the GDPR and DPA 2018, no remedy is available where “no harm has credibly been shown or [would] be likely to be shown” and that “in the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, quite frankly, trivial”.
- There must be proof of damage
Where a breach is “non-trivial”, a claimant will only be able to claim damages where they can prove that they have suffered “damage” (as defined under the appropriate legislation).
Under the GDPR and DPA 2018, persons whose rights under the GDPR are infringed are entitled to compensation where they have suffered “material or non-material damage”, the latter of which “includes distress”. However, again, like this latest judgment, the judgment in Rolfe v. Veale Wasbrough Vizards suggests that claims for distress may need to pass a de minimis threshold, as it was held that in trivial cases “where a single breach was quickly remedied”, “no person of ordinary fortitude would reasonably suffer the distress claimed”.
- There must be proven loss for all represented in representative actions
Many have been concerned that the GDPR may herald a wave of new representative actions. However, this ruling shows that representative actions of this kind seeking damages are not appropriate for claims of this nature.
It may, of course, still be possible to bring a representative action seeking a declaration of liability, including a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation. Damages could then be assessed individually at a later stage. However, in general, the scope for bringing representative claims on behalf of large numbers of individuals on an opt-out basis has now been reduced.
Client Alert 2021-294