On 10 November 2021, the Supreme Court dismissed the United Kingdom's first ever "opt-out" class action brought outside of the competition law sector, in Lloyd v Google LLC. The claim, seeking an award of damages of around £3 billion, was brought by consumer rights activist, Mr. Lloyd on behalf of some 4.4 million iPhone users for alleged breaches of data protection legislation. While the judgment means the end of the road for this particular class of claimants, it clarifies a number of important points about data privacy class actions, and the representative action procedure in general, leaving the door ajar for future actions.
Mr. Lloyd alleged that between late 2011 and early 2012 Google collected information from iPhone users without their consent, which it then offered to advertisers for the purposes of targeted marketing. Mr. Lloyd claimed that Google was in breach of its statutory duty under the Data Protection Act 1998 ("DPA 1998") and that the affected class of claimants were entitled to compensation for the loss of control of their own data which they had suffered by virtue of the breach. Quantification of damages had not been specifically addressed at this early stage of the proceedings, but Mr. Lloyd had previously proposed a uniform sum of £750 per person, which would yield an aggregate damages claim of some £3 billion.
Mr. Lloyd brought his claim as a representative action under Rule 19.6 of the Civil Procedure Rules (CPR), which essentially allows a representative to bring a claim on behalf of a class of individuals who have the same interest in a claim. The members of the represented class do not need to take any positive step, or even to be aware of the existence of the action, in order to be bound by the result. Accordingly, it is effectively an "opt-out" procedure.
As Google was based outside the jurisdiction, Mr. Lloyd required the Court's permission to serve the claim. Google argued that permission should be refused, on the grounds that the claim had no real prospect of success, because (a) damages could not be awarded under the DPA 1998 for a breach of duty without proof that the breach had caused financial damage or mental distress, and (b) the claim was in any event not suitable to proceed as a representative action. The High Court refused to grant permission, but this decision was overturned by the Court of Appeal. Google's appeal against the Court of Appeal's judgment was heard by the Supreme Court in April 2021.
The Supreme Court gave unanimous judgment in favour of Google, stating that the claim had no real prospect of success and hence refusing to grant permission to serve Google out of the jurisdiction.
In the judgment of the Court, which was given by Lord Leggatt, who had been a dissenting judge in the recent seminal Merricks v Mastercard decision (please see our alert), it was confirmed that the representative procedure adopted by Mr. Lloyd was a flexible one, which played an important role in ensuring access to justice. Consistent with the approach taken in several other common law jurisdictions (including Australia, Canada and New Zealand), Lord Leggatt confirmed that the absence of a detailed English legislative framework for an opt-out action outside the field of competition law was not itself a reason restrictively to interpret the representative rule.
Mr. Lloyd's claim, however, failed at the damages hurdle.
The Supreme Court rejected the argument that it could award a uniform per capita sum to each class member. Instead, the Court held that, in order to award damages, whether for financial loss or mental distress, it would require evidence of such loss or distress for each member of the class. The Supreme Court did not agree that the damage suffered by all class members was the loss of control of their data; instead, it found that Mr. Lloyd was wrongly conflating two different concepts: contravention of the DPA 1998 and the harm suffered as a result (if any). The argument that an individual is entitled to compensation wherever a data controller has committed a nontrivial breach of its duties under the DPA 1998 was, in the Court's view, flawed.
In practice, the Supreme Court's judgment means that, for any individual in the class Mr. Lloyd sought to represent in the action, there is no longer any realistic possibility of recovering any compensation for the alleged misconduct, not least because the limitation period for any individual actions has now expired.
The Court's insistence on individualised damages assessments was effectively fatal to the claim because of the practical difficulties which that would entail in this case. This is an important point of distinction with opt-out class actions in the UK antitrust space, in respect of which the Supreme Court recently confirmed that there is no such requirement.
The door arguably remains somewhat open for other cases under the representative action procedure as the Supreme Court suggested a fairly significant degree of flexibility in the procedure, and the Court's discretion to allow claims in light of the overriding objective. It also gave some helpful guidance on certain aspects relating to class definition and the necessary common interest which will be of assistance to practitioners and claimants going forward.
Whilst Mr. Lloyd faced particular challenges because of the statutory data protection framework under which his claim was brought, and the individualised nature of the damages enquiry, those challenges may prove to be less problematic in other contexts—for example, one can envision a class action in the product liability context in which it could be argued credibly that all the class members acquired the same product with the same defect which reduced its value by the same amount. And, of course, even in the data privacy space, it is not impossible to imagine there may be other cases where claimants are willing and able to provide the necessary evidence to allow for individual damages assessments.
Further, the Supreme Court specifically noted that, even where, as was the case for Mr. Lloyd, individual damages assessment is required, it could be theoretically possible to use the representative action procedure to obtain a declaration of liability. It may be that this is a suitable approach in some other cases, albeit there may well be, as there were in Mr. Lloyd's case, significant practical and economic challenges in such an approach.
There is no doubt that some of the claims which were waiting in the wings pending this decision will need to be discontinued; and no doubt other intended representatives will go back to the drawing board in terms of the way their cases are framed.
However, there may well be scope for class action claims to proceed using the procedure adopted by Mr. Lloyd, in particular outside the data privacy context. It may also be that, within the data privacy context, the legislature will consider statutory amendments if it considers that there should be a route to compensation for claimants in these types of circumstances.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.