Out-Law Analysis | 10 Nov 2021 | 9:57 am | 12 min. read
The Supreme Court has rejected the notion that every data subject affected by a non-trivial data breach is entitled to an award of compensation for the mere “loss of control” of their personal data. Rather, the court has confirmed that an award of compensation for a non-trivial breach of the Data Protection Act 1998 can be made only if the data subject has suffered some form of material damage, i.e. tangible financial loss, or if they have suffered distress.
The Supreme Court also found that the claim raised against Google is not viable as a representative action for damages. Richard Lloyd, a former executive director of consumer watchdog Which? who brought the claim, expressly sought to disavow the individual circumstances of each of the millions of individuals who he said formed part of the represented class. The Supreme Court found this approach impermissible in principle. It said that, in order to advance a representative action on behalf of each member of the proposed represented class, Lloyd had to show that each of those individuals had both suffered a breach of their rights and suffered damage as a result of that breach.
Several other representative actions based on alleged data protection breaches have been on hold pending the Supreme Court’s judgment in this case. These include claims against TikTok, Facebook and Marriott Hotels. It now seems unlikely that litigation funders will have any appetite to pursue these claims.
Lord Leggatt’s comments on the availability of damages for loss of control may lead to a more general dampening of the claims market in this space
The case concerned Google's placing of advertising tracking cookies on iPhones using Apple's 'Safari' browser in England and Wales between August 2011 and February 2012.
The technical background is not straightforward. In essence, however, Google rolled out a new feature known as “social ads” on its now discontinued Google+ service. In rolling out this feature Google sought to protect user-privacy through segregation of data. Whilst this approach worked effectively on other browsers, there were difficulties in implementing the feature for users of the Safari browser due to Safari’s handling of third-party cookies. Google therefore identified a workaround to implement the feature on Safari browsers. However, a by-product of this workaround was that Google’s ‘DoubleClick’ advertising cookie was also set in a third-party context, even though Apple’s stated policy at the time was that this would not be possible with the Safari browser. On that basis it was alleged that DoubleClick cookies were set without the consent of users.
The claim was brought by Lloyd and funded by the third-party litigation funder Therium. Lloyd sought to bring the claim on behalf of several million individuals who he says were affected.
Procedural rules in England and Wales make express provision for “opt-out” class claims to be brought only in a competition law context. Lloyd’s team therefore sought to fashion the claim as a representative action under rule 19.6 of the Civil Procedure Rules. Rule 19.6 allows an individual to bring a claim on behalf of a wider class where all members of the class have the “same interest” in the claim.
This requirement for all class members to have the same interest prompted Lloyd to disavow each class member’s individual circumstances and instead to ask the court to award damages to each class member on a “lowest common denominator” basis. He contended that the lowest common denominator was the hypothetical person least affected by the breach, and that such a person, and every other class member, should receive an award in respect of their “loss of control” of their personal data, with the sum of £750 per person being suggested.
Because Google is a US company, Lloyd needed the permission of the English court to pursue his claim. Google contested that the claim should be allowed to pass this threshold stage, and the Supreme Court has now found emphatically in Google's favour. It is worth noting that because Google has never been required to serve a defence in the proceedings, much of Lloyd's case – for example as to how many individuals were affected, and to what extent – remains nothing more than untested assertion.
Google was successful in challenging the claim in the High Court. In his ruling, Mr Justice Warby found the legal basis of the claim – that compensation should be awarded essentially for the mere infringement of the claimant class’ rights – to be fundamentally circular. The judge said that “it would not be unfair to describe this as officious litigation” and that the claim should not “be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”.
However, the High Court’s decision was overturned in the Court of Appeal where all three judges were much more receptive to the idea that each claimant class member could be awarded a uniform sum for loss of control of their personal data on a tariff basis. This set up the Supreme Court appeal.
The Supreme Court’s decision ... identifies further challenges for claimants seeking to rely on misuse of private information in a data processing context
The judgment of the Supreme Court was given by Lord Leggatt, with whom the other four judges all agreed. The judgment includes a comprehensive survey of the case law on representative actions going back over 150 years. It is likely to be regarded as the leading case on representative actions and will be scrutinised by those interested in bringing such claims outside the data protection context.
Lord Leggatt considered the viability of the claim as a representative action in the context of this survey of the cases. Most significantly in this context, he stressed that the potential for claiming damages in a representative action is limited by the nature of the remedy of damages at common law.
In English law, damages “are awarded with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred”, Lord Leggatt said.
Though the judge said it was possible for a representative action to include a claim for damages where the represented class members had all suffered the same loss, for example if they had all been overcharged the same sum, or they had all been sold a defective product which was worth equally less in each instance due to the nature of defect, he considered that these scenarios are somewhat exceptional. He said that in most cases there will need to be an individualised assessment of what has happened to each individual class member and that a representative action is an unsuitable vehicle for this because individual class members do not participate in the action.
Lord Leggatt suggested that the claim could in theory have been advanced by way of a bifurcated process, i.e. in two stages.
The first of these stages would have involved Lloyd seeking a declaration that class members are entitled to damages, without seeking a payment of damages in this first stage. This would not have offended the principles outlined because the court would not have been required to assess damages on an individualised basis.
The second stage would involve individuals then seeking a damages award separately, on the basis of their own circumstances. Lord Leggatt speculated that although this would work in theory, it may be unattractive to the claimant side in practice because the first stage would not generate any return for the funders or those represented.
Lord Leggatt went on to consider Lloyd’s attempts to get around the difficulties of needing to show each class member’s individualised circumstances.
A crucial element of Lloyd’s attempt to bring his claim within the representative action procedure was the contention that a non-trivial breach of any data subject’s rights gives rise to an entitlement to compensation for “loss of control” of personal data. This argument was founded on the Court of Appeal’s judgment in the case of Gulati v MGN, which concerned systematic phone hacking by journalists from the Mirror Group.
Gulati was a case framed in the tort of misuse of private information, rather than under data protection legislation. In that case the Court of Appeal found that the claimants were entitled to damages for loss of control over their privacy rights, or loss of autonomy, and awarded substantial damages. Lloyd argued that because the tort of misuse of private information and data protection legislation are both rooted in the same fundamental right to privacy, the same approach to damages should be adopted for both causes of action.
Lord Leggatt rejected the approach contended for by Lloyd. He found that the proposed approach was fundamentally inconsistent with the wording of Section 13 of the Data Protection Act 1998, the legislation applicable at the time relevant to his claim.
Section 13(1) states: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.
Section 13(2) states: “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if: (a) the individual also suffers damage by reason of the contravention...”
Two compelling points arise from the statutory language. The first is that the damage in respect of which the data subject seeks to recover must be suffered by reason of a contravention by the data controller. This plainly separates the notion of the breach, i.e. the “contravention”, and the damage resulting from it. Accordingly, conflating the two is incompatible with the statutory language.
The second point is that section 13(2) refers to two types of consequences of a breach by a data controller, namely damage and distress. On the original statutory wording, the latter was only recoverable in the event that the former could also be established. Lord Leggatt therefore held that the reference to damage in section 13(2), and by extension also 13(1), must logically mean something more serious than distress and must mean material damage such as financial loss. It followed that the statutory wording did not contemplate an entitlement to compensation for something less serious than distress, which a loss of control might be.
Lord Leggatt noted that section 13(2) has been disapplied since the Court of Appeal’s judgment in the case of Vidal Hall v Google, in which the court determined that it was inconsistent with the overarching EU directive from which it had derived. However, this does not affect the correctness of his judgment.
Lord Leggatt further held that the idea that misuse of private information and breaches of data protection legislation must have coterminous remedies since the rights in question are of common origin did not bear scrutiny. The tort of misuse of private information protects information which is established to be private in nature. In contrast, much personal data has no particular private character. In addition, Lord Leggatt’s judgment makes clear that the misuse of private information is a tort involving strict liability for deliberate acts, not a tort based on “want of care” or negligence. Accordingly, to provide the same remedies for both causes of action is not necessary or desirable.
Lord Leggatt identified other fundamental problems with Lloyd’s approach. Most significant amongst these was Lloyd’s contention that he should be required to prove only that a person met the criteria to be member of the represented class, and that all such persons should be treated as having suffered damage on a “lowest common denominator” basis.
In rejecting Lloyd’s construct, he said: “I cannot see that the facts which the claimant aims to prove [i.e. mere membership of the class] in each individual case are sufficient to surmount [the de minimis] threshold. If (contrary to the conclusion I have reached) those facts disclose ‘damage’ within the meaning of section 13 at all, I think it impossible to characterise such damage as more than trivial. What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed. Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.”
For similar reasons, Lord Leggatt rejected Lloyd’s argument in relation to user damages, i.e. the idea that an award should be made to each class member based on a notional release fee in which they would have been prepared to allow Google to serve the DoubleClick cookie. Without an enquiry into who was affected and to what extent, this approach was also flawed.
Claimant lawyers and litigation funders, including those backing other representative actions which are currently paused, will no doubt pore over the judgment to try to identify whether representative actions in the data space could be viable notwithstanding the Supreme Court’s approach.
Lord Leggatt makes clear that his analysis relates to the position under the Data Protection Act 1998 and not the UK GDPR which, together with the Data Protection 2018, has superseded the 1998 Act.
Article 82(1) of the GDPR provides that a person who has suffered "material or non-material damage as a result of an infringement of this Regulation" should have the right to receive compensation for the damage suffered. In addition, Recital 85 states that "a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned".
Two points arise from this wording. First, the language of the GDPR is similar to that of the 1998 Act in that it distinguishes between the act giving rise to the damage and the damage itself. The GDPR refers to the “infringement” rather than the “contravention”, but nothing turns on this. Secondly, although Recital 85 refers to loss of control, it does not contemplate that all infringements will give rise to a loss of control. The differences between the two regimes do not therefore appear to offer significant scope for distinguishing any new claims brought under the GDPR from the precedent now set by Lloyd v Google.
In any event, Lord Leggatt found that even if damages were available for loss of control, it would still be necessary to establish the extent of the unlawful processing in the case of each individual data subject, and this would render a representative action unviable. It is not clear, therefore, that a different approach to damages under UK GDPR would have any practical effect.
Similar difficulties are likely to arise if a representative claimant seeks to pursue their claim in misuse of private information, where the Gulati judgment established that a claim for loss of control damages is available. First, as Lord Leggatt points out, establishing a claim in misuse of private information may be more difficult given the requirements of the tort: the information in question must be private and the misuse must arise from a deliberate act, not merely a want of care. Further, these requirements and the extent of the breach would need to be established for each and every class member.
Following on from the High Court decision in Warren v Dixons earlier this year, the Supreme Court’s decision in Lloyd confirms that there are distinct differences between data protection and misuse of private information as causes of action, and identifies further challenges for claimants seeking to rely on misuse of private information in a data processing context.
The Supreme Court’s decision brings the position firmly into line with the outcome of the UK government consultation conducted last winter on the possibility of introducing a bespoke procedure for opt-out class actions in the data protection space.
In its report on that consultation, the Department of Culture, Media and Sport said in February 2021 that the case for introducing an opt-out procedure into law was not strong enough: “There is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system."
Finally, Lord Leggatt’s comments on the availability of damages for loss of control may also lead to a more general dampening of the claims market in this space, with a greater emphasis on the requirement for data subjects to show material damage or distress on an individualised basis.
David Barker led the Pinsent Masons team which acted for Google in this case.
07 Jan 2022
11 Jun 2021