The representative action was brought by campaign group ‘Google You Owe Us’, led by Richard Lloyd, the former executive director of Which? Magazine. Lloyd was applying to serve proceedings on Google in the US, alleging that Google breached the principles of the Data Protection Act 1998 (the “Act“) through its “Safari Workaround”.
Following the court’s decision in Vidal-Hall v Google  EWCA Civ 311, there are clear arguments to be made that the Safari Workaround breached the Act, by collecting private data from individuals using Apple’s Safari browser on iPhones, without their knowledge or consent. However, the Lloyd decision makes clear that potential claimants still have a number of hurdles to overcome before they will succeed in recovering damages from Google.
The claimant sought compensation of up to £750 pounds for each of the 4.4 million affected individuals, potentially leaving Google facing liabilities of between £1 and £3 billion. This amount was said to reflect the benefit Google obtained from the data’s wrongful use. Lloyd’s claim was backed to the tune of £15.5 million by a litigation funder.
Why did it fail?
In order to obtain permission to serve the claim in the US, on top of certain procedural hurdles, Mr Lloyd needed to demonstrate that the claim would have a reasonable prospect of success, meaning that the underlying merits of the claim were sound and also that a court would allow his representative action to proceed. The court in fact held that:
- Mr Lloyd did not have a reasonable prospect of persuading a court that he, and other affected individuals, had suffered actual damage. Although English law now recognises that compensatable damage for data protection breaches need not be financial loss (it’s enough to show non-material loss, for example anxiety/distress/inconvenience), damage must still be proved to have actually occurred before damages will be awarded.
- Mr Lloyd’s claim did not identify any actual harm.Mr Lloyd also did not have a reasonable prospect of having his representative action accepted by the Court. The judge found that the affected individuals would not all have the “same interest”, which is required before a representative action can be recognised. He based this on the likely variations in the nature and extent of breaches, and the impact upon each individual.
- The judge also held that the resources required to try the claim would be disproportionate and allowing it to continue would not align with the Court’s “overriding objective” to deal with cases justly and at proportionate cost. Given the lack of an identifiable class of claimants, Mr Lloyd’s failure to plead actual damage and the relatively low level of damages being claimed on behalf of each affected individual, there was therefore also no “real issue” to be tried.
Mr Lloyd has sought permission to appeal the judgment, arguing that it has left no practical way for individuals to seek redress when their private data is used without consent.
What does this mean?
Much has been said about the likelihood of increased collective actions in Europe following the introduction of the GDPR in May 2018. Whilst this may well happen, this case serves as a useful reminder that here in the UK we remain some way off witnessing the development of a class action regime on the scale that exists in the US.
First it confirms that a rigorous test of standing will apply before a collective action will be allowed in the UK. Courts will expect evidence in pleadings to demonstrate that actual harm has been suffered (or is likely to be) and that a clear class of claimants has been adequately defined and identified. US companies will be familiar with the debate caused by the Supreme Court’s opinion in the Spokeo case, wherein similarly exacting requirements were applied to class action standing.
It also appears that the courts will expect a minimum threshold of damages to apply before they are willing to commit resources to hearing a trial. One comment made by the judge in the Lloyd case was that the main beneficiaries of the action would be the lawyers and the litigation funder. This dampens speculation that we will necessarily see more class actions as a result of increased litigation funding. It had been thought that, provided the total pot of recoverable damages is large enough for a funder to back an action, there would be no reason not to proceed. It now appears, however, that a second filter will need to be applied to the test – will the total pot remain large enough to impress a judge, once legal and success fees have been removed from it?
One final piece of food for thought: it is likely that, driving the court’s decision in Lloyd, was the decision made by Parliament when passing the Data Protection Act 2018 not to take up the opportunity provided by Article 80 (2) of the GDPR to permit representative actions to be brought for data protection breaches even without a data subject’s mandate. Indeed, the judge comments that “this claim is a contrived and illegitimate attempt to shoe-horn a novel “opt-out class action” into the representative action procedure.” The UK courts will continue to entertain collective actions, either by way of representative action or group litigation, only where affected individuals have consented to the action being brought on their behalf. Interestingly, though, following heavy pressure from campaigners prior to its introduction, the DPA 2018 has committed the UK Secretary of State to a review of whether data subjects should have to “opt in” by 2020, so Google and others would be well advised to watch this space….