The Supreme Court of the United Kingdom has delivered its long-awaited decision in the case of Lloyd  UKSC 50, rejecting an attempt to bring a representative claim for compensation for "loss of control" over personal data. The Court's ruling has far-reaching implications for UK class actions concerning data protection matters.
In 2017, Richard Lloyd brought a claim against an internet search engine operator, alleging that it had acted in breach of its duties as a data controller under the Data Protection Act 1998 (the "DPA 1998").1 Mr. Lloyd alleged that between August 2011 and February 2012, a "workaround" had been used to bypass his browser's blocking of third party cookies, and collect his personal data without his knowledge or consent. Mr. Lloyd sought to bring the claim on behalf of around 4.4 million allegedly affected individuals, under Rule 19.6 of the Civil Procedure Rules ("CPR"), which allows a representative action to be brought on behalf of a defined class of individuals who share the "same interest" in the claim.
Initially, the application was dismissed by Warby J in the High Court. Mr. Lloyd appealed to the Court of Appeal on three points:
- The Court of Appeal considered whether the judge was right to hold that a claimant cannot recover uniform "per capita" damages for infringement of their data protection rights without proving pecuniary loss or distress. It concluded that damages were recoverable where a claimant had suffered a "loss of control" over personal data, without needing to prove pecuniary loss or distress suffered.
- The Court of Appeal considered whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable. It held that the 4.4 million allegedly affected users did have the "same interest" under CPR 19.6, in that they had all suffered a loss of control over their personal data, and that they were identifiable, (notwithstanding practical challenges associated with such identification).
- The Court of Appeal considered whether the judge's exercise of discretion can be vitiated. It concluded that it was open to the Court to exercise its discretion afresh, and that the claim should be allowed to proceed.
On appeal, the Supreme Court was asked to consider whether Mr. Lloyd should have been refused permission to serve his representative claim out of the jurisdiction, on the grounds that:
- damages cannot be awarded under the DPA 1998 without proof of both: (i) a breach of the requirements of the DPA 1998; and (ii) material damage or distress resulting from that breach; and
- the claim in any event is not suitable to proceed as a representative action.
The Supreme Court unanimously allowed the appeal, restoring the dismissal of the application by the High Court. The Supreme Court held that Mr. Lloyd's claim was unsustainable as a representative action for damages. The Supreme Court noted that Mr. Lloyd could have adopted a bifurcated process, in which a representative claim is brought for the purposes of establishing an infringement of the DPA 1998, and then individual claims for compensation would follow. However, Mr. Lloyd did not take that approach – the Supreme Court presumed that this was due to the fact that such a strategy would not be an effective way to generate a financial return. Instead, Mr Lloyd attempted to bring the entire claim as a representative action.
An important aspect of Mr. Lloyd's claim was the argument that any non-trivial infringement of the DPA 1998 gives rise to a right to compensation for "loss of control" over personal data. Earlier cases established the principle that compensation for "loss of control" over personal data is available in the context of a claim for the tort of misuse of private information. However, Mr. Lloyd did not bring a claim for misuse of private information in this case, and the Supreme Court rejected the argument that claims for misuse of private information and claims for infringements of the DPA 1998 should be subject to equivalent rules. Accordingly, the Supreme Court rejected Mr. Lloyd's attempt to bring a representative claim for damages under the DPA 1998 while at the same time arguing that it was not necessary to demonstrate unlawful processing of personal data in relation to any particular individual, and that it was not necessary to demonstrate that any individual had suffered material damage or distress as a result of such processing. The Supreme Court also noted that the need to obtain evidence on an individual basis would be incompatible with Mr Lloyd's representative claim.
This was a complex case involving multiple interveners and substantial questions of law. English law has historically been reluctant to permit class action claims of the kind commonly seen in the US (and, more recently, Canada and Australia). As the Supreme Court noted, the only area of English law in which such a regime has been implemented is competition. In February 2021, the UK Government concluded, as part of a consultation and statutory review, that a class action regime was not necessary in the field of data protection.
While the Supreme Court's decision is clearly good news for controllers, it is important to note that this decision explicitly focused on the law that applied in 2011-2012, rather than the law as it currently stands. While it is possible that the same outcome would be reached under the UK GDPR and the Data Protection Act 2018, this is by no means certain. As claims for alleged breaches of data protection law are becoming increasingly common, businesses would be well-advised to keep an eye on developments in this space.
1 The DPA 1998 has since been replaced by the UK GDPR and Data Protection Act 2018.
Thomas Harper, a Trainee Solicitor at White & Case, assisted in the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP