You will have seen this week’s landmark decision of Lloyd v Google in the news.
Our friends at international law firm Milberg LLP (a market leader in consumer group actions) represented the claimant in the case, all the way to the Supreme Court. Milberg partner Edward Cardington talks us through the key points:
What was this week’s Supreme Court decision in Lloyd v Google about, and why was it important?
The core allegation in the case is that Google bypassed the default security settings on the Apple Safari browser on the iPhones of 5.4 million UK consumers in 2011 and 2012. This allowed Google to collect the consumers’ internet browsing history and serve them with targeted advertising, which is one of Google’s biggest revenue streams.
Mr Lloyd says that this was a breach of the Data Protection Act 1998 (“DPA”) and that the consumers’ are entitled to damages as a result.
The hearing before the Supreme Court related to a contested application to serve Google out of the jurisdiction in California and Delaware, USA. However, the test for service out is such that two important questions of law needed to be determined on the application and it became the fundamental battleground in the case. To briefly paraphrase those two questions:
- What is extent of the representative action under CPR 19.6? Specifically, what remedies can be claimed by a representative claimant, only a declaration or also damages?
- Can damages be awarded for infringement of data protection rights without proof of actual loss or harm (termed “distress” in the DPA)?
The reason that these questions are important is that existing case law suggests that damages for infringement of data protection law are likely to be modest, tens or hundreds of pounds.
At that level of damages it is uneconomic to seek to bring the claim as a group litigation order (GLO), because of the costs involved. Mr Lloyd argued that bringing the claim as a representative action was the only practical way to give consumers access to justice and create the moral hazard for big tech companies in breaching our data privacy rights.
Why did the Supreme Court find in favour of Google?
Fundamentally, the Supreme Court took a narrow view of the damages available for breaches of the data protection act (and now UK GDPR).
The Court of Appeal had found for Mr Lloyd, that damages were available to consumers for loss of control of their data, without proof of loss or distress.
The Supreme Court disagreed and held that damages were not available for breach of the right, but only if the consumer had suffered actual loss or distress.
As a result, claims relating to breaches of data rights will likely now only be available where the claimant has suffered loss or distress. Consequently, although the Supreme Court held that Mr Lloyd has good claim on his own account, it did not think that the claims for damages by the rest of the represented class could be made good.
As to the representative action, the Supreme Court held that this was a flexible tool of procedure and could in principal be used here. However, damages will only be available on a collective basis where all of the claimants have suffered the same loss and no individual factual enquiry into damages is required on a per client basis (that is why Mr Lloyd framed damages in the claim this way).
Where an individual enquiry into damages is required, the Supreme Court found that a declaration of liability can be sought on a representative basis followed by individual enquiries into damages.
However, this is unlikely to be economic in data breach cases such as this and so effectively leaves the consumer with no remedy against big tech companies such as Google.
Could Lloyd v Google affect how big companies use our data?
In my view, it is a grievous blow to the ability of consumers to police their data rights. It can be seen from the press at present that there is a great deal of concern about the harm being done to consumers, particularly children, by targeted advertising and other online content.
At base, all of these issues rely on tech companies being able to collect our personal data, to understand our likes and interests and be able to serve us with content matched to those interests.
The ICO does an excellent job, but it is simply too big a problem for it to be able to police the whole data economy.
Creating a right to damages for consumer data breaches of a small amount is, in my view, an effective way of creating the necessary financial and moral hazard for these companies and allowing consumers to enforce their data and privacy rights (in the same way that a carbon tax will be much more effective in addressing greenhouse gas emissions than top down state directed legislation).
The Court of Appeal understood this problem. My view is that the Supreme Court felt it was a matter for primary legislation and such legislation is now urgently needed.
What is the likely impact on future data protection and other types of group action claims?
This is likely to make claims for data protection breaches more difficult and claims are likely to be limited to specific and serious harm (see for example the Vidal-Hall case which also relates to the Safari Workaround).
In contrast, where damages are for a larger amount or can be put on a uniform basis, the clarification of the representative action may make it a more useful tool for Claimant lawyers in the medium term.
Does the decision make group actions any less attractive in the jurisdiction?
I think it is neutral overall for group actions, it clarifies the extent of the representative action (which was a muddled morass of 150 years of somewhat inconsistent decisions prior to this).
However it suggests that the senior courts still have some distance to go in understanding the pressing need to extend consumer protection in the new digital economy.