Privacy & Information Security Law Blog

On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.

The Lloyd case concerned alleged violations by Google in 2011 and 2012 of the UK Data Protection Act 1998 (the “DPA”) in connection with the collection and use of the browser generated information of approximately four million UK-based Apple iPhone users. Lloyd alleged, on his own behalf, and on behalf of the approximately four million other iPhone users (who had not affirmatively agreed to be represented by Lloyd), that Google’s use of the browser generated information violated the DPA and sought compensation for the damage allegedly suffered. Pursuant to the UK’s Civil Procedure Rules, Lloyd was required to seek permission of the court to serve his claim outside of the UK against Google in the U.S.

In the first instance, Lloyd’s request to serve the claim on Google in the U.S. was rejected on the basis that it had no reasonable prospect of success and that the representative claim brought on behalf of the other claimants was inappropriate to the nature of the relief sought. That decision at first instance was subsequently overturned by the UK Court of Appeal, which held that the representative claim was appropriate and that there was a reasonable prospect of success of the claim, on the basis that mere “loss of control” of personal data was sufficient to give rise to a claim for damages under the compensatory scheme of the DPA.

The Court of Appeal’s decision was subsequently appealed by Google to the UK Supreme Court, on the grounds that (1) the facts pleaded by Lloyd could not provide any basis for a claim for compensation under the DPA; and (2) the court should not permit the claim to continue as a representative claim.

The Supreme Court ruled in favor of Google, finding that the representative claim against Google should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following:

• The statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data. Instead, compensation may be awarded only when a data subject has suffered some form of material damage (in practice, financial loss or distress) as a result of a violation of the law. Compensation will not be recoverable in relation to a violation of the law that does not result in tangible, material damage.
• The representative claim by Lloyd on behalf of the other affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage as a result of that violation. As a general matter, a representative claim of the type advanced by Lloyd is appropriate only in circumstances where all members of the representative class have suffered the same loss, and it is not appropriate in circumstances where an individual assessment of the impact of the alleged violation on each member of the class is required.

Accordingly, the UK Supreme Court did not grant Lloyd permission to serve the claim against Google in the U.S., effectively bringing it to an end.

While the judgment considered provisions included in the DPA that were in force at the time of the alleged violation, equivalent provisions are included in the UK General Data Protection Regulation (“UK GDPR”), and the ruling is likely to be applicable going forward to representative claims advanced on the basis of the right to compensation that is included in the UK GDPR.

The decision will be welcomed by controllers because it (1) limits the future prospects of representative claims of the nature of that advanced by Lloyd, and (2) provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects are not a sufficient ground for a compensatory award. Going forward, actions for collective redress in relation to violations of data protection law in the UK likely will need to be based on the affirmative opt in of the represented claimants, and each claimant will need to demonstrate the material damage that they suffered.