On November 10, 2021, the UK Supreme Court issued a unanimous Judgment in Lloyd v Google LLC  UKSC 50, disallowing a data privacy class action. It has been widely reported that this decision is favourable for data controllers and unfavourable for consumers.
Lloyd v Google has wide reaching impacts on other areas of law and social policy.
Two broader implications of the decision are particularly concerning:
- The ability to bring claims in the UK on ‘large scale social issues’ is highly restricted.
- Technological innovation is outpacing English courts.
The result is that ‘tech giants’ are “too powerful” to be successfully sued in English courts, and can escape the consequences of large-scale rights violations.
Facts of the case
The claimant, Richard Lloyd, sought to pursue a ‘class action’-style claim on behalf of four million iPhone users in England and Wales. He alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality, and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting.
Lloyd’s claim was only possible through “an unusual and innovative use of the representative procedure” in rule 19.6 of the CPR, which allows a claim to be brought by (or against) one or more persons as representatives of others who have “the same interest” in the claim.
Lloyd sought damages for these four million iPhone users, and claimed that Google’s actions were in alleged breach of the Data Protection Act 1998 (“the 1998 Act”). This Act has since been replaced by UK GDPR and the Data Protection Act 2018 (“the 2018 Act”).
The main issues considered by the Supreme Court were:
(i). Can “loss of control” of data amount to actionable damage without needing to identify any specific distress or pecuniary loss?
(ii). Does the class of individuals in question (i.e. the four million iPhone users) pass the “same interest” test as required for a representative action in England and Wales to proceed?
The Supreme Court dismissed Lloyd’s claim, and found in favour of Google.
In response to point (i), the Supreme Court stated at , that to receive compensation under the DPA 1998 a claimant needed to prove unlawful use of personal data and that they suffered damage.
Between  – , it was held that the term “damage” caused by ‘loss of control’ of data was to use the ‘traditional’ approach to ‘loss of control’, which refers to “material damage (such as financial loss) or mental distress” and not solely to “such unlawful processing itself”. Thus, the claim was dismissed as there was only ‘unlawful processing’ and no “damage” (at law).
In response to point (ii), the Supreme Court at  – , dismissed the idea that this class had the “same interest”. Lord Leggatt drew a distinction between cases where there are conflicts between class members, and cases where there are not. In this case, Lord Leggatt held the class was too wide to have the “same interest”.
- The ability to bring claims
Lord Leggatt quotes the trial judge in stating that the claim was: “officious litigation, embarked upon on behalf of individuals who have not authorised it”. This shows the conservatism of the Court in this case. It is unfair to call this ‘officious’ legislation. Lloyd’s case is best viewed as an attempt at an actio popularis, a form of public interest litigation, aimed to guarantee large scale human rights protection.
Although this would contradict with principles of tort law, the necessity in public law to address large scale social issues such as data breaches demands actions similar to the actio popularis. This is arguably an issue for Parliament, but the scale of the rights’ violation in this case meant the common law should have shown more flexibility.
The Supreme Court could have followed the 2019 judgment by the Court of Appeal (Lloyd v Google  EWCA Civ 1599). This judgment found that the members of the class were entitled to recover damages, based on the loss of control of their personal data alone.
Now, it will be easier to strike out claims on other ‘mass social issues’ in the UK – it will be difficult for an individual to bring a claim on behalf of a wider, representative group, as similar claimants are likely to be deterred.
For example, a similar claim against TikTok over how it collects and uses children’s data has now been put on hold, in light of this judgment. As a result, there is a risk that Lloyd v Google could leave vulnerable groups unprotected at law.
- The technology industry and the common law
Although broadly in line with common law principles, the decision shows a lack of foresight. Whether common law adjudication has the solution to modern data privacy issues is an open question – similarly to other areas of technology law, the industry is moving faster than the law.
It is important to note that this is a Supreme Court case being heard in 2021 about a dispute in 2011, which occurred under older legislation (the ‘1998 Act’ rather than the ‘2018 Act’). Given the current pace of innovation, the 10 year gap is monumental. Sir Geoffrey Vos, Master of the Rolls, in an extrajudicial speech on ‘crypto asset’ regulation, stated that when the industry moves faster than the law, this is at the law’s own peril.
There is a real risk here that the common law will fall behind the technology in terms of its pace, leaving large companies unaccountable for their breaches of human rights.