On Wednesday 28 April and Thursday 29 April 2021, the UK Supreme Court will hear Lloyd v Google LLC, a hotly anticipated appeal which could see the rebirth of the CPR 19.6 representative claim vehicle for opt-out data privacy ‘class actions’.
A panel made up of Lord Reed, Lady Arden and Lords Sales, Leggatt and Burrows will decide whether, following the decision in Merricks v MasterCard  UKSC 51, the winds of group litigation continue to blow in a pro-consumer direction.
In May 2017 Richard Lloyd, a former Executive Director of Which?, issued a CPR 19.6 representative claim against Google for breach of its duties under the Data Protection Act 1998 (DPA) to around 4.4m affected iPhone users, for employing the so-called “Safari Workaround” in 2011-2012. The Workaround piece of code enabled Google to bypass Safari’s default privacy settings, set the DoubleClick Ad cookie on iPhones and track browser-generated information (BGI) without the users’ knowledge or consent to sell this for advertising purposes. Mr Lloyd sued on his own behalf and on behalf of the entire class of residents in England and Wales whose data was collected in this way.
Warby J dismissed Mr Lloyd’s application for permission to serve Google LLC outside the jurisdiction ( EWHC 2599 (QB)). He held that the claim did not disclose a basis for seeking compensation under the DPA because the claimant and other members of the class had not suffered ‘damage’ within the meaning of section 13 of the DPA. He rejected the claimant’s reliance on the reasoning in Gulati v MGN  EWCA Civ 1291 for an award of damages for the “loss of control” of private information. He also rejected the claimant’s alternative argument based on “user damages” (compensating the wrongful use of another’s property which has not caused pecuniary loss).
Warby J nonetheless considered whether the requirements of CPR 19.6 for a representative claim were satisfied. He held that they were not. First, he concluded that the members of the class did not have the “same interest” primarily because they were likely to have suffered different types of damage (or no damage) depending on their individual circumstances. Secondly, the judge considered that there would be significant issues with verifying whether any given individual fell within the class.
Finally, Warby J went on to exercise his discretion under CPR 19.6(2), and declined to permit the representative claim to proceed.
Court of Appeal
The Court of Appeal (Dame Victoria Sharp P, Sir Geoffrey Vos C and Davis LJ) ( EWCA Civ 1599) unanimously allowed Mr Lloyd’s appeal on all three grounds, granting him permission to serve out. The Chancellor gave the only substantive judgment.
On Issue 1, the Chancellor concluded that damages are in principle capable of being awarded for “loss of control” of data under section 13 of the DPA 1998, even if there is no pecuniary loss and no distress. In so concluding, he had regard to Article 8 of the Convention and Charter, GDPR and Gulati. Such an interpretation was required to ensure that an effective remedy was available. It mattered not that other non-compensatory remedies may in principle be available; no such remedies would be available in this case. Sir Geoffrey Vos C declined to decide the issue of whether the claimants could recover “user damages” but he expressed the view that this was at least “fairly arguable”.
In respect of Issue 2, whether class members had the “same interest” as Mr Lloyd, Sir Geoffrey Vos C held that Warby J had applied too stringent a test. Because the claimants had disavowed any reliance on facts specific to individuals (and were claiming a uniform per capita sum), it could be said that all claimants sustained the same loss, namely the loss of control of over their BGI. Sir Geoffrey Vos C dismissed Warby J’s concerns about identification, holding that each affected person would, in theory, know whether they satisfied the terms of membership of the class (with data held by Google assisting in this exercise).
As to Issue 3, the Chancellor held that in exercising his discretion not to permit the claim to continue, Warby J was not justified in taking into account either an alleged inability to identify the members of the class or the fact that the members of the class had not authorised the claim. The class was identifiable and class members do not have to authorise a representative claim. Accordingly, Sir Geoffrey Vos C exercised the discretion afresh and concluded that the claim should be permitted to proceed as a representative action.
Google appealed this decision wholesale, with the Supreme Court to consider afresh whether the respondent should have been refused permission to serve his representative claim against the appellant out of the jurisdiction on the three grounds that:
- members of the class did not suffer ‘damage’ within the meaning of section 13 of the DPA; and/or
- the respondent was not entitled to bring a representative claim because other members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or
- the court should exercise its discretion to direct that the respondent should not act as a representative.
At its simplest, the appellant asserts that Warby J was right and the Court of Appeal was wrong on every point. In contrast, the respondent believes that the unanimous Court of Appeal was on the money – that members of the class suffered damage by the “loss of control” of their data, which constitutes “same interest”, when taken at the lowest common denominator and subject to a de minimis threshold. Accordingly, the claim should proceed.
It is difficult to overstate just how significant will be the Supreme Court’s decision.
To put it starkly, if the Supreme Court reverses the Court of Appeal’s decision, this will be an access to justice issue. The ability for consumers to enforce their data protection rights will be severely limited and, in most instances, those much heralded rights will become meaningless. Data incidents are the paradigm example of harms affecting large numbers of individuals but with low potential damages, such that individually-issued claims are not economically viable. This is the raison d’être for ‘class actions’. And hence why group litigation orders (GLOs) are rarely an attractive option for mass data breach claims, BA and EasyJet data breach GLOs notwithstanding.
There is an argument that the Supreme Court unlocking CPR 19.6 would be a policy decision, allowing class actions to operate through the back door, in circumstances where the government has again refused to introduce an opt-out regime for data privacy claims under Article 80(2) GDPR. However, the CPR 19.6 vehicle exists already; the pre-CPR equivalent was in use in the nineteenth century. It was only a judgment in Markt & Co Ltd v Knight Steamship  AC 426 that drastically constrained the commonality requirement to a “same interest” test and so use of the vehicle. Indeed, the government appears to have endorsed implicitly the use of CPR 19.6, in its recent response to consultation on Article 80(2) GDPR, where it points to Lloyd v Google as demonstrating the potential for a form of representative action to succeed under the existing rules.
If the Supreme Court upholds the Court of Appeal’s reasoning, this will mark a seismic shift in in group litigation in this jurisdiction, with the true representative claimant ‘class action’ a prospect for viable data privacy claims with litigation funding in place. Such a decision would be consistent with the direction of travel, across the border in Scotland and in the EU, towards functioning class action regimes. Added to which, the pro-consumer competition decision in Merricks v MasterCard, albeit on a majority basis only.
The prospect of large scale data privacy litigation could also provide the necessary incentive for business to comply with the GDPR, in circumstances where the data protection regulators, both here and in Ireland (where many Big Tech entities have their EU main establishments), have been slow to hold the behemoths to account with penal fines; and where proposals for legislation to curb those excesses are still years away from being on the statute books.
The oft-repeated ‘floodgates’ argument is a non-starter, given the usual protections afforded by our legal system (not least of which is loser pays winner’s costs). That said, claims there will be. At the last count, at least five further CPR 19.6 data privacy claims have been issued and stayed pending the outcome of Lloyd v Google, against the likes of Facebook, YouTube, Marriott and TikTok, with more in the wings. So, much at stake, for consumers as well as for big business.
Emily Cox is a Partner and Head of Media Disputes at Stewarts