Last week, the English High Court limited the availability of collective actions for data breaches to identifiable individuals who have suffered specific and discernible damage. In Richard Lloyd v Google LLC, the Court refused to allow a representative action alleging breach by Google of its duties under the Data Protection Act 1998 (“DP Act 1998”) to proceed. The Court reinforced the need to prove “damage” resulting from data privacy breaches in order to claim compensation and continued its policy of reluctance to permit English court procedures to be used to bring U.S.-style “opt-out” class actions.
The case reinforces the need to prove damage or distress when bringing data breach claims, as well as the hurdles involved in bringing representative actions in the English courts. It will also be relevant to claims for breach of the new Data Protection Act 2018 (“DP Act 2018”) (which has largely replaced the DP Act 1998) and could therefore serve as a deterrent to future claims.
Mr. Lloyd sought to bring a representative action for the breach by Google of the data protection principles in the DP Act 1998 (the “Claim”). He purported to do so on behalf of a class of millions of end-users in the UK (the “Class”) whose mobile browser data was collected by Google without their knowledge during 2011-2012. Google had used a technical mechanism to circumvent the security measures designed to prevent the collection of such data. As a result, millions of individuals unknowingly had their data processed and stored by Google.
The workaround had already resulted in a number of penalties and actions against Google in the United States – and in the UK with the high profile Vidal-Hall v Google case.
In order to advance the Claim, Mr. Lloyd needed the Court’s permission to serve his claim on Google in the United States. This required the Court to determine (among other things) whether the Claim had a reasonable prospect of success on two key questions of law, namely:
A basis for compensation?
Mr. Lloyd’s claim did not provide a specific figure in respect of damages claimed, but he advanced a figure of £750 per member of the class at an early stage in proceedings, making Google’s estimate of its potential liability between £1 billion and £3 billion. The Court concluded that there was no basis for Mr. Lloyd or the other members of the Class to seek compensation under the DP Act 1998; a claim for compensation under the DP Act 1998 requires actual damage to be sustained from a breach. Such damage need not be financial or material and could include emotional harm such as distress. For example, in Vidal-Hall, the intensely private nature of the information obtained by Google’s breach caused the claimants to suffer distress and anxiety, for which compensation could be awarded. In contrast, Mr. Lloyd had failed to articulate what (if any) material or emotional harm had been caused to him or the other Class members as a result of Google’s alleged breach. He claimed compensation for the fact of infringement, and resulting loss over control of his and the Class members’ personal data, alone. The Court rejected this position, noting that to allow such claims could open the floodgates to claims for trivial data protection breaches where there was nothing to compensate. Mr. Justice Warby commented in the judgment that:
“I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case.”
Given the similarity in the provisions for damages and distress in the new DP Act 2018, this approach is likely to continue under the new legislation.
Appropriateness of a representative action?
Mr. Lloyd sought to bring the Claim as a representative action on behalf of the Class, whose members were not identified nor involved in (or likely even aware of) the pursuit of the Claim. As such, the Claim was brought as an “opt-out,” U.S.-style representative action, which the English courts are generally reluctant to endorse. In this respect, it can be contrasted with the Vidal-Hall case, which was brought by three identified individuals.
The Court held that the Claim did not meet the requirements of a representative action set out in Rule 19.6 of the Civil Procedure Rules (“CPR”), and there was no reasonable prospect of it being permitted to proceed as a representative action, as:
“It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches . . . [Mr Lloyd] should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated.”
Having regard to the above, the Court refused permission to serve proceedings on Google in the United States. Mr. Lloyd has indicated his intention to seek permission to appeal the decision.
Looking ahead – the future of collective data breach claims
Given the increased prevalence of the topic of data protection and data breaches in recent years, particularly surrounding the implementation of the GDPR and high-profile data breaches, claims from individuals under UK data protection legislation seem increasingly likely and may result in companies incurring significant liability. In making clear that individuals need to have suffered actual damage as a result of any breach of data protection law, this decision confirms that the English courts will not entertain frivolous claims from individuals who find that their data protection rights happen to have been infringed but have been in no way negatively impacted. It remains to be seen whether this judgment curbs the number of data breach claims moving forward. We will continue to monitor the position, including the outcome of Mr. Lloyd’s appeal (if permission is granted).
The decision is also consistent with the approach of the English courts to prevent their procedures for collective claims to be used to bring U.S.-style “opt-out” class actions and makes clear that there are significant hurdles to the pursuit of such claims. Although the GDPR makes specific provision for non‑profit bodies to bring claims on behalf of individuals for breaches, it leaves it to Member State legislation to determine whether individuals need to “opt-in” to such claims. In keeping with its traditional position on such claims, the UK decided in the DP Act 2018 that individuals would need to “opt-in” to such actions, closing one possible avenue for “opt-out” data breach class actions. Notably, however, the provision is due to be reviewed by the UK Secretary of State by the end of 2020.
For the time being, the availability of collective actions for data breaches in the English courts is likely to be limited to identifiable individuals who have suffered specific and discernible damage.
  EWHC 2599 (QB)
  EWHC 13 (QB)  1 WLR 4155;  EWCA Civ 311  QB 1003