On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but the UK GDPR arguably does not change the essence of the Court’s ruling.[2]
This judgement sets a rigorous standard for data protection class actions to be successful in the UK. Moving forward, any UK data protection class representative will need to substantiate actual damage resulting from a violation of the law.
Background
Richard Lloyd, a consumer activist, brought a £3 billion representative claim against Google LLC for allegedly collecting and using Apple iPhone users’ personal data between 2011 and 2012 without their knowledge or consent. The claimants argued that Google bypassed privacy settings on Apple iPhones by implementing the so-called “Safari workaround,” allegedly allowing Google to drop advertising cookies for its own commercial purposes.
Lloyd argued that Google acted in breach of its duties under the UK’s pre-2018 data protection law by placing cookies without the users’ consent or knowledge. In Lloyd’s view, this amounted to a “loss of control” of personal data for which compensation is payable. He brought these claims before the High Court in the UK in May 2017, seeking financial compensation for more than four million unnamed residents of England and Wales who were using an Apple iPhone between August 9, 2011 and February 15, 2012. The High Court rejected Lloyd’s claim, finding that alleged damage was unproven.[3] However, in 2019 the Court of Appeal reversed that decision, concluding that the claimants can recover damages for loss of control of their data without proving pecuniary loss or distress.[4] Google subsequently challenged this 2019 decision of the Court of Appeal before the UK Supreme Court.
UK Supreme Court Ruling
The Court unanimously refused to grant the compensation Lloyd was seeking. The Court found that Lloyd failed to prove: i) Google’s alleged misuse of personal data, and ii) that the concerned individuals suffered material damage or distress because of Google’s use of their personal data.[5] In addition, the Court found that the class members represented by Lloyd did not hold the same interest since the data allegedly unlawfully handled by Google differed between individuals.
Key Takeaways and Conclusion
- Proving damage. The Court held that in order to obtain compensation, claimants need to satisfy two conditions: i) that a violation of the law has occurred, and ii) that the violation caused damage to the individuals represented in the class. In this case, Lloyd failed to meet this two-step test.
- The need for individualized evidence of misuse. The Court further ruled that a claimant needs to establish entitlement to compensation for each concerned individual. Lloyd would therefore need to demonstrate each individual’s concrete damage on a case-by-case basis, taking into account the circumstances and the extent of the unlawful processing regarding that individual. The Court explained that, in exceptional circumstances, it might be possible to avoid proving damages suffered on a per-person basis, for example, in a class action where all individuals were equally overcharged for a product they purchased. However, in the current case, the Court found that the level of alleged injury varies between individuals.
- Pre-UK GDPR[6] regime. Due to the fact that the claim occurred in 2011 and 2012, Lloyd’s class action was governed by the 1998 UK Data Protection Act. However, as the right to compensation under the UK GDPR is based on similar grounds, the claimant would arguably also need to meet the above-mentioned, two-step test to be successful.
The Court’s decision will likely become a landmark, impacting pending UK class actions and creating an important precedent. As a result, future claimants will need to prove both the occurrence of violation and damage suffered.
Our privacy and cybersecurity practice routinely advises on EU/UK data protection issues and can help you tackle the challenges raised by this fast-moving area. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
[1] UK Supreme Court’s judgement in Lloyd v Google [2021], UKSC 50 (November 10, 2021), available at
https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf.
[2] Section 13, Data Protection Act 1998 (DPA 1998).
[3] High Court’s judgement in Lloyd v Google LLC [2018], EWHC 2599 (QB) (October 8, 2018), available at https://www.judiciary.uk/wp-content/uploads/2018/10/lloyd-v-google-judgment.pdf.
[4] Court of Appeal’s judgement in Lloyd v Google LLC [2019], EWCA Civ 1599 (October 2, 2019), summary available at https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html.
[5] UK Supreme Court’s judgement in Lloyd v Google [2021], UKSC 50 (November 10, 2021), par. 159.
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as applicable in the UK.