General Principle:
Under the prior Data Protection Act from 1998, financial compensation for "loss of control" could not be granted in the absence of proof of damage or suffering. The Court came to the conclusion that it would be unreasonable to construe "damage" under the Act to encompass a claim for "loss of control" alone.
The Supreme Court expressed a generally favourable attitude towards the use of representative class actions for the purpose of obtaining declaratory relief that pertains to issues of culpability, for instance. In the pursuit of damages, the Court was likewise open to their use in theory, but not in instances such as this one, where a personalised assessment of damages is necessary. The Court was not open to their use in the pursuit of damages where certain kinds of uniform per claimant damages were sought.
Name:
Lloyd v Google LLC [2021] UKSC 50
Facts:
This case concerned a privacy class action. The "Safari Workaround" was basically Google's use of a technological workaround to circumvent the cookie settings on the Safari browser and insert tracking cookies without an individual's knowledge or agreement. This is how this issue came about. Because of this violation of privacy rules on Google's part, the company was subject to a financial penalty imposed by US authorities.
Mr. Lloyd initiated this class action lawsuit against Google for their violation of the terms of service. The use of a representative action is significant due to the fact that it is a kind of "opt-out" litigation. This means that the claim is brought on behalf of everyone who is a member of a certain class of claimant unless they opt out of being represented by the representative action. In contrast, a Group case Order is "opt-in" and requires individual claimants to make the decision to become parties to the case in order for it to be implemented.
Due to the opt-out system, Mr. Lloyd's claim was lodged on behalf of the over four million people who were impacted in England and Wales. Mr. Lloyd recommended that each claimant should get around £750 in compensation; this would imply that Google might be liable for a total of up to £3 billion in total damages.
To launch a representative action, each member of the class must, nevertheless, have the "same interest" in the claim in order for the action to be brought. This indicates that any compensation requested on behalf of each claimant must be the same amount. As a result of this criterion, Mr. Lloyd argued that compensation ought to be granted under the 1998 Act for a simple "loss of control" of personal data, even in the absence of evidence of any (further) harm or suffering. Because of this, Mr. Lloyd was able to present his claim as one that was for a uniform per capita payment for each member of the class without regard to their unique circumstances and on the basis of a "lowest common denominator." This finally proved to be the claim's undoing for the reasons that will be discussed later.
Ratio:
The "Safari Workaround" was addressed before the Supreme Court, and it was established that there were a variety of possible claims that may be brought up in respect to it. Mr. Lloyd had the potential to individually have:
Demanded damages for distress under the previous Data Protection Act 1998; or
Claimed compensation for abuse of private information without the requirement to establish any tangible loss or suffering requested damages for anguish under the old Data Protection Act 1998.
Despite this, he decided not to pursue any of the claims. As the court pointed out, meeting the requirement that all members of the class have the "same interest" necessitated conducting an individualised analysis of the circumstances of each individual in the class. This was incongruous with the requirement that all members of the class have "the same interest." Because of this, demands of this kind could not be brought about by means of a representative action.
Instead, Mr. Lloyd contended that the courts might give compensation for "loss of control" of data under section 13 of the previous Data Protection Act 1998 even if there was no need to establish significant harm or distress. This provision was included in the 1998 act. This proposition was soundly rejected by the Supreme Court, which said as follows:
This reading was not viable because it was based on an interpretation of section 13 that was not applicable inside the United States;
Under EU law, there was no necessity to construe the statute to allow for "loss of control" compensation. The argument that "loss of control" compensation should be accessible under the previous Data Protection Act 1998 because it has a "common source" with the tort of abuse of private information was incorrect.
The court was not presented with any authorities to support this wider interpretation. Because of the many distinctions that existed between the two, it was impossible to make an accurate comparison between the two.
The Supreme Court made the observation that a claim such as this one, which related to the Safari Workaround, would naturally lend itself to an award of "user damages" if it had been structured as a claim for abuse of private information rather than a claim for the Safari Workaround. User damages are determined by determining how much a reasonable person would pay to use the personal data at issue and then basing the amount of damages imposed on that figure (OneStep v. Morris-Garner [2018] UKSC 20). The court should not be "prissy" about giving such compensation when the defendant's entire aim in improperly acquiring and utilising personal information is to exploit its economic worth. This is an example of a situation in which the court should not be "prissy." On the other hand, this was irrelevant in this scenario since user damages are not possible for breaches of the previous Data Protection Act 1998.
Jurisprudence
The tort of misuse of private information is centred on the preservation of human autonomy and dignity -- the right to control the dissemination of information about one's private life and the right to the veneration and respect of others (Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22). In the majority of cases, as in Campbell, the only alleged 'misuse' is the publication or threatened publication of personal information to the general public. Frequently, the defendant is a media organisation or an individual attempting to disclose information through the media.
Nonetheless, a claim for misappropriation of private information may be brought for information that was disseminated less broadly if that would unjustifiably interfere with the claimant's right to privacy under Article 8 of Part I of Schedule I of the Human Rights Act of 1998 (HRA 1998). This implements the European Convention on Human liberties (ECHR) liberties.
However, the tort is not limited to the dissemination of information, as the 'phone hacking' litigation demonstrated. In these cases, the alleged wrongdoing included the unauthorised accessing of voicemails, and in Gulati v MGN Ltd [2015] EWHC 1482 (Ch), damages were awarded for the invasion of privacy resulting from the (admitted) accessing of voicemails through which private information was obtained.
The issue is invasion limit. Since every society has a moral framework, if that morality can be proven to be essential, then society is justified in employing the law to protect it in the same manner it preserves everything else required for its survival. Thus, it is impossible to theoretically restrict the state's capacity to legislate against immorality or designate inflexible no-go zones for the law. Society has a right to self-defense. So the issue of what damage a large company causes by violations of data protection law may be answered by asking what society would be like if more than half the people did that.
In light of recent concerns about the potential emergence of a 'compensation culture' surrounding low-value and/or minor violations of data protection law, the ruling in Lloyd v Google LLC [2021] UKSC 50 has been hailed as a resounding victory for businesses across the United Kingdom. On the other hand, privacy activists and consumer rights groups have been disappointed.
The judgement clarifies instances in which damages for data protection violations can be obtained under the DPA, as well as instances in which 'opt-out' class action lawsuits can be brought under the CPR. The explicit requirement for specific substantiation of the 'damage' alleged to have been experienced by individual plaintiffs in instances of data protection violations indicates that the courts will adopt a strict approach when determining damages in data protection claims. Nonetheless, the court provided guidance on aspects pertaining to required common interest and class definition. This may prove useful in future circumstances.
The decision is also significant for those interested in class actions in general. Although the court hinted at a degree of flexibility by making it plain that the representative claim procedure under CPR 19.6 could still be used in the future, the court has now raised the bar for potential claimants through this procedure by requiring proof of individual harm. In addition, the ruling raises concerns about whether litigation financiers will view as alluring the pursuit of future claims under CPR 19.6.
The Class Action
In recent years, there has been a growing impetus to enable individuals in the United Kingdom to initiate similar or identical claims against those they believe are culpable for misconduct. These claims are commonly referred to as 'class actions,' a term prevalent in US litigation, though they are also referred to as 'group actions' and 'collective actions'. However, the numerous terms refer to a variety of distinct processes. We use the term "class actions" as an umbrella term that concentrates on this situation in England and Wales.
It is essential to observe that the decision does not preclude group actions from proceeding, but rather clarifies the restrictive approach that will be adopted by the courts. In this analysis, the position in damages will be crucial. The court did not rule that Google (or, by extension, other data controllers) could not be held liable for harm caused to consumer groups, but the provisions of the DPA and the CPR did not correlate with the facts of the case. While Mr. Lloyd depicted the damage as being uniform, this was not the case when the remedy itself was not uniform: the breach suffered by each user (or user category) would vary.
Possible future alternatives to a representative claim include filing a class action. Class action plaintiffs have typically relied on group litigation orders to prosecute their claims. As they are 'opt-in' (i.e., individuals must take active measures to join the claimant group), they can be a less advantageous option for claimants due to the economic and administrative burden. This was the method by which a class action (subject to a group litigation order) was filed against British Airways in response to the 2018 cyberattack the airline suffered.
In the context of 'opt-out' class actions (such as this one), where there are fewer obstacles for claimants to overcome and the group of people represented may be significantly larger, this creates a greater financial risk for businesses, both in terms of the frequency with which such class actions may be filed and their size. Nonetheless, this decision underscores the potentially very substantial obstacles that litigants face in pursuing such a lawsuit.
Representative claims remain an option for litigants, but it is difficult to see how claims of this nature can easily escape the individualised assessment discussed in this case in light of this ruling. Even if the two-stage representative procedure suggested by Lord Legatt is followed (i.e. dealing first with liability and then bringing individual claims for compensation), in many cases it will not be financially feasible for individual claimants to pursue the second limb of this procedure due to personal financial circumstances or the possibility of opponents with deep pockets. Given that the initial phase of this procedure will not generate revenue, litigation financiers are unlikely to be attracted to it.
Undoubtedly, some litigants will surmount the obstacles presented. The decision provides an illustration of a product liability claim in which it could be argued that all class members received the same defective product that diminished its value. This is a useful illustration of the categories of situations in which the principles discussed in this case could be distinguished.
In light of this, it is probable that future class actions will seek to emphasise an alternative formulation of the damages position. To make 'opt out' claims more financially viable, litigants may pursue inventive alternatives to damages, such as bringing claims for subclasses of claimants. In the coming years, we anticipate the emergence of additional case law defining some of the potential means of falling within the scope of a successful representative action. Whether litigation financiers are willing to fund these claims is an entirely different question.
Floodgates
If the court's decision had opened the floodgates to opt-out data class actions, insurers would likely have raised premiums and changed the terms of future coverage (for example, they might have stopped covering class actions or only covered transfers of personal data between certain jurisdictions). The hope is that the cyber insurance market will be stable at least until the next time this kind of claim comes up. This is very important for data controllers, who depend on their cyber-insurance plans to move personal data around the world and deal with a never-ending stream of hacking risks. Without these policies, many people would not be able to pay the money needed to cover the costs of not following current data privacy laws.
Comments