Google LLC v Lloyd [2021] UKSC 50

Mr Lloyd sought to bring a representative action against Google for alleged breaches of the Data Protection Act 1998, claiming Google secretly tracked iPhone users' internet activity via the 'Safari workaround' and used data commercially without consent. The Supreme Court held that compensation under the DPA 1998 requires proof of material damage or distress, and the claim could not proceed as a representative action.

Facts

Richard Lloyd, backed by commercial litigation funders, brought proceedings against Google LLC alleging breaches of the Data Protection Act 1998 (DPA 1998). The claim alleged that between August 2011 and February 2012, Google secretly tracked the internet activity of millions of Apple iPhone users in England and Wales through the ‘Safari workaround’, which bypassed default privacy settings on the Safari browser to place tracking cookies on devices without users’ knowledge or consent. The data collected was allegedly used for commercial advertising purposes.

Mr Lloyd sought to bring the claim as a representative action under CPR rule 19.6 on behalf of over 4 million iPhone users, claiming uniform per capita damages of approximately £750 per person without proving individual damage or distress.

Issues

Primary Legal Issues

The Supreme Court considered two main issues:

1. Whether compensation can be awarded under section 13 of the DPA 1998 for ‘loss of control’ of personal data without proof of material damage or distress.
2. Whether the claim was suitable to proceed as a representative action under CPR rule 19.6.

Judgment

The Supreme Court unanimously allowed Google’s appeal. Lord Leggatt, delivering the judgment of the court, held that the claim had no real prospect of success.

Interpretation of Section 13 DPA 1998

The court held that section 13 of the DPA 1998 requires proof that an individual has suffered ‘damage’ (material damage or distress) as a result of a contravention of the Act. Lord Leggatt explained:

To recover compensation under this provision it is not enough to prove a breach by a data controller of its statutory duty under section 4(4) of the Act: an individual is only entitled to compensation under section 13 where damage – or in some circumstances distress – is suffered as a consequence of such a breach of duty.

The court rejected the claimant’s argument that ‘loss of control’ of personal data itself constitutes recoverable damage under the Act. Lord Leggatt stated:

To say, as the claimant does in its written case, that what is damaged is the data subject’s right to have their data processed in accordance with the requirements of the Act does not meet this point, as it amounts to an acknowledgement that on the claimant’s case the damage and the contravention are one and the same.

Rejection of the Common Source Argument

The court rejected the argument that principles from the tort of misuse of private information (as established in Gulati v MGN Ltd) should apply to claims under the DPA 1998. Lord Leggatt identified significant differences between the two regimes, including that data protection law applies to all personal data regardless of whether there is a reasonable expectation of privacy, and that liability under the DPA 1998 depends on a failure to exercise reasonable care.

Representative Action

Even if compensation could be recovered without proving individual damage, the court held that the claim could not succeed as a representative action because the claimant sought damages without proving what wrongful use Google actually made of any individual’s personal data. Lord Leggatt concluded:

Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.

Implications

This decision significantly limits the scope for ‘opt-out’ class actions in data protection claims in England and Wales. It confirms that:

• Compensation under the DPA 1998 requires proof of actual damage or distress caused by the breach, not merely proof of the breach itself.
• Representative actions under CPR rule 19.6 cannot be used to circumvent the requirement for individualised proof of damage.
• The principles governing damages for misuse of private information do not automatically apply to statutory data protection claims.

The judgment highlights the absence of a comprehensive class action regime for data protection claims in the UK and leaves affected individuals without an effective collective remedy where individual claims are too small to be economically viable.

Verdict: Appeal allowed. The Supreme Court restored the order of the High Court refusing permission to serve proceedings on Google outside the jurisdiction. The representative claim for damages under the Data Protection Act 1998 was held to have no real prospect of success.

Source: Google LLC v Lloyd [2021] UKSC 50