Lloyd v Google - has it opened the floodgates for data privacy class actions in the UK?

In its recent judgment in Lloyd v Google, the Court of Appeal has allowed an “opt-out” class action claim to proceed that relates to alleged infringements, by Google, of data protection law affecting 4.4 million iPhone users. By determining that damages can be awarded for a loss of control of data (even in the absence of financial loss or distress), the Court of Appeal has potentially opened the floodgates to data privacy damages claims in the English courts.

Background to the case

Richard Lloyd, a former editor of “Which” alleges that Google infringed data privacy legislation by its collection, collation and sale to advertisers of iPhone users’ internet browsing data, without consent. It is worth pausing to note that this case has not arisen out of a cyber security incident and it therefore has broad application to all organisations that process personal data about a large number of individuals. Lloyd is claiming damages representing an equal “tariff” of £750 for each person whose data privacy rights were allegedly infringed. At this stage the Court of Appeal was only considering whether Lloyd could be granted permission to serve proceedings on Google in the US (outside the jurisdiction) but this required it to consider whether the infringements alleged by Lloyd constitute damage and whether the claim could proceed as a class action.

What is interesting about the Court of Appeal’s decision? 

The Court of Appeal’s unanimous judgment in favour of Lloyd overturned the decision of Warby J in the High Court. There were three particularly interesting parts to the decision.

1. The Court held that damages should be available for ‘loss of control of data’ even where no financial loss or distress had been alleged. Up to now claimants have had to prove either financial loss or distress;

2. The claim was permitted to proceed as a representative action. The Court decided that the members of the class had the ‘same interest’ within CPR Part 19.6(1) despite there being differences between how much personal data of individuals within the class was affected; and

3. Although it was not necessary to decide in this case, the Court contemplated the availability of ‘user damages’. These are most usually applied in property/intellectual property cases where the claimant is ‘compensated’ by being awarded the amount they would have been paid for the ‘right to use’.

What does this mean? 

Unless overturned by the Supreme Court (Google has already indicated that it will appeal), the Court of Appeal’s finding could have some significant consequences for data privacy cases going forward.

The global trend of greater interplay between litigation and regulatory actions is likely to continue. Organisations will therefore be required to continue grappling with the question of how to deal with regulatory investigations co-operatively and to the satisfaction of those regulators without increasing their litigation exposure.

It is likely to be easier for representatives to bring class actions for data privacy claims. The lowering of the threshold for ‘damage’ to include a loss of control of data, without financial loss or distress, combined with the acceptance that all members of a class in a ‘loss of control’ claim can suffer the same loss is likely to make it easier for representatives to bring a class action. A lower threshold for evidencing ‘damage’ and an easier way to establish members of a class have the ‘same interest’ is likely to make the economics of class actions for data privacy claims favourable to litigation funders.

The law could continue to develop in the same way under the GDPR. Due to the timing of the allegations, the claim is being brought under the previous legislation, the Data Protection Act 1998, but the decision is likely to have significant consequences even under the GDPR/Data Protection Act 2018. This is particularly so as the Court of Appeal relied, to some extent, on a recital in the GDPR for support that data subjects should be entitled to claim for a ‘loss of control over personal data’.  Although arguably the reference relied on by the Court of Appeal is narrower than has been applied in this case, if the Supreme Court do not overturn the judgment on this point it will remain a powerful precedent for cases brought under the GDPR.

If you would like to read more, we have produced a more detailed briefing which can be found here.