Overview
On November 10, 2021, the Supreme Court of the United Kingdom (UKSC) issued its landmark judgment dismissing a US-style, opt-out, “class-action” against Google LLC. (Google). In doing so, the UKSC rejected the Claimants’ argument that the loss of control of personal data has an intrinsic value capable of compensation. Instead, the UKSC held that each Claimant must establish that they have personally suffered material damage (i.e., financial loss or mental distress) resulting from an alleged breach of the Data Protection Act 1998 (UK). The decision is a significant win for Google and will be a welcome development for data controllers the world over. While data controllers will continue to face increasing activity from supervisory authorities, it is almost impossible for individuals to bring private damages claims because the legal costs of doing so will far exceed any damages recovered.
Background
On August 8, 2012, the United States Federal Trade Commission (FTC) commenced proceedings against Google in the United States District Court for the Northern District of California. In those proceedings, the FTC alleged that Google placed a cookie (the DoubleClick Ad cookie) on a device if the user visited a website that included certain Google-generated content.
The DoubleClick Ad cookie allowed Google to deliver and display targeted advertising. Google notified users that they could ‘opt-out’ of this targeted advertising by taking certain steps. However, Google told users of the Safari browser that “they did not need to take any action” to opt-out because “the Safari default setting ‘effectively accomplishes the same thing as setting the opt-out cookie.’” Notwithstanding those assurances, the FTC alleged that Google developed a workaround that had the effect of overriding the default settings within Safari. Specifically, it was alleged that Google placed an initial cookie relating to a user’s Google Account on the browser. Once the initial cookie had been installed, Google was able to install the DoubleClick Ad cookie. This two-step process has been referred to as the ‘Safari Workaround’.
On August 9, 2012, Google agreed to pay a record US$22.5 million civil penalty to settle the claim. On November 16, 2012, the District Court approved the proposed penalty.
Richard Lloyd v Google LLC
On the back of Google’s settlement with the U.S. FTC, Richard Lloyd issued a claim on behalf of himself and approximately four (4) million people that used iPhones between April 2011 and February 2012.
Mr. Lloyd alleged that Google breached section 4(4) of the DPA 1998. Section 4(4) of the DPA 1998 provides that “it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”. Mr. Lloyd alleged that, by exploiting the Safari Workaround, Google had failed to comply with the first, second and seventh data protection principles.
As a result of the alleged breach of section 4(4) of the DPA 1998, Mr. Lloyd claimed damages under section 13 of the DPA 1998. Specifically, Mr. Lloyd sought damages on behalf of each person within the defined class but sought to do so without considering the facts specific to any one of them individually.
On November 29, 2017, Mr. Lloyd applied to the High Court of England & Wales for permission to serve the Claim Form on Google outside of the jurisdiction (i.e., in the United States). That application was opposed by Google. The High Court rejected Mr. Lloyd’s application concluding that there was no reasonable basis for seeking compensation under the DPA 1998 because the claimant had failed to allege a specific loss capable of compensation. Specifically, the Court held that sections 13(1) of the DPA 1998 required there to be a causal link between the infringement alleged and the damage claimed. Accordingly, for the claim to proceed, the claimant was required to identify some form of pecuniary loss or distress linked to the alleged breach.
Mr. Lloyd appealed the High Court’s decision to the Court of Appeal.
Court of Appeal Decision
On October 2, 2019, the Court of Appeal handed down its unanimous decision. In summary, the Court of Appeal held that the lower court was wrong to conclude that there was no damage. In this regard, the Court of Appeal concluded that a person’s control over data does have a value and, as a result, the loss of that control must also have a value. Without quantifying that loss, the Court of Appeal held that loss of control damages of the type claimed are compensatory in nature. In light of the factual matrix, the Court of Appeal also concluded that: (i) the represented class does have the same interest; (ii) that the class members are identifiable; and (iii) that the exercise of the judge’s discretion should be set aside.
For all of the above reasons, the Court of Appeal overturned the lower court’s decision and allowed the claim to proceed. Google sought, and obtained, leave to appeal the Court of Appeal’s judgment to the UKSC.
Supreme Court Decision
The Supreme Court hearing took place on April 28 and 29, 2021. On November 10, 2021, the UKSC handed down its unanimous decision overturning the Court of Appeal’s decision and, effectively, re-instating the High Court’s original decision.
In arriving at its decision, the Supreme Court was critical of the way in which the Claimant had formulated his claim for damages. Specifically, the Supreme Court observed that the Claimant sought to obtain damages for each class member on what was described as a ‘uniform per capita basis’ and without reference to the individual circumstances of each member of the claims. The Court rejected the idea that damages could be awarded on a uniform per capita basis. In particular, the Court observed that the “effect of the Safari workaround was obviously not uniform across the represented class.” For that reason, the Court concluded that “[i]f liability is established, the ordinary application of the compensatory principle would therefore result in different awards of compensation to different individuals.” In those circumstances, “the amount of compensation recoverable by any member of the class would depend on a variety of circumstances particular to that individual.”
Further, the Court also concluded that it is not enough for a data subject to prove a breach by a data controller of its obligations under section 4(4) of the DPA 1998. Instead, the Court decided that a data subject is only entitled to compensation if they can prove that they personally suffered damage as a consequence of the breach alleged. With respect to the type of damage, the Court concluded that “section 13 refers only to material damage” such as “financial loss or physical or psychological injury, but excluding distress.” As a result, the Court rejected the Claimant’s argument that data subjects were entitled to damages for ‘loss of control’ of their personal data.
The Court concluded that the claim was unsustainable as the Claimant had attempted to recover damages without proving either: (i) what, if any, unlawful processing of personal data occurred in the case of any individual; or (ii) that the individual suffered material damage or mental distress as a result of such unlawful processing. As a result, the Court determined that the Claimant’s claim could not succeed.
Implications of the Decision
The UKSC’s judgment in Lloyd v Google LLC [2021] UKSC 50 is now the leading authority on damages for breaches of data protection law in England and Wales. While the decision concerned the previous data privacy laws, the DPA 1998), it will apply equally to the current Data Protection Act 2018 (UK). The decision means that it is unlikely that data controllers will face significant numbers of private damages claims in England for breaches of data privacy laws.
Broader European Perspective
Separately, the concept of ‘damages’ under privacy laws is also being scrutinized at the European level. Specifically, the Court of Justice of the European Union (the CJEU) has a case pending that may harmonize the concept of ‘damages’ across all Member States. Among the questions raised before the CJEU are: (i) whether awarding of compensation requires, in addition to an infringement of provisions of GDPR, an actual damage to the plaintiff (or if the infringement in itself is sufficient to trigger compensation); and (ii) whether there are additional requirements under EU law for the determination of compensation for damages, in addition to the principles of effectiveness and equivalence. Depending on how the CJEU decides that case, it may result in the first actual post-Brexit divergences between the EU and the UK with respect to data protection.
In addition, there have been a number of claims brought in France and Belgium for breaches of the GDPR on behalf of data subjects. However, those claims have had limited success. In Belgium, for example, the consumer organization, Test-Achats, brought a claim against a technology company for breaches of data privacy laws. Test-Achats ultimately settled that claim with no monetary damages awarded to the class members. The limited ability to recover damages for these types of breaches drives consumers (and consumer organizations) to other causes of action (e.g., abusive clauses or commercially unacceptable practices). However, this could change in the future with the entry into force of the directive 2020/1828 in the European Member States (the Directive). The Directive is an important building block of the consumer package. It is expected that it will ease cross-border class actions, including privacy-related claims, providing a greater incentive for larger claims/pool of claimants.