On November 10, 2021, the UK Supreme Court unanimously dismissed Mr Richard Lloyd’s attempt to bring representative proceedings against Google. Considered by the Court of Appeal to be a champion of consumer protection, Mr Lloyd sought damages for around 4 million Apple iPhone users under section 13 of the Privacy Act 1998 Data protection (“DPA 1998”) after the unlawful processing of their data. He had suggested flat damages at £750 per user, which would have landed Google a £3billion bill.
In late 2011 and early 2012, Google secretly tracked users’ internet usage through the use of their “DoubleClick Ad cookie”. This cookie allowed Google to collect data about users, such as the sites visited, the date and time of access and the time spent on each site. By using their IP address, cookies could sometimes even track the approximate geographical location of users.
Since Google is a Delaware company, Mr Lloyd initially sought permission from the English High Court to serve outside the jurisdiction. Google challenged this request on two grounds:
Damages cannot be awarded under the DPA 1988 for “loss of control” of data without proof that it caused financial harm or distress; and
In any event, the claim is not likely to proceed as a representative action.
At the High Court, Warby J refused leave to serve the proceedings on Google, concluding that damages for data protection under the DPA 1988 cannot be awarded without proof that the breach caused the individual financial or a distress. However, the Court of Appeal reversed this decision. The landmark judgment was delivered by Sir Geoffrey Vos, who said a representative action was the only way to obtain a civil remedy for compensation for “the massive and deliberate misuse of personal data without consent, undertaken in view of commercial profit”.
At the Supreme Court, Lord Leggatt gave judgment, with which Lord Reed, Lady Arden, Lord Sales and Lord Burrows agreed. In doing so, they allowed Google’s appeal.
Claim damages for the representative class
Except in the area of competition law, the UK Parliament has not enacted legislation allowing a single individual to seek redress on behalf of a class of people equally affected by the alleged wrongdoing. Mr. Lloyd therefore sought to rely on Part 19.6(1) of the Rules of Civil Procedure:
Where more than one person has the same interest in a claim (a) the claim may be brought; or (b) the court may order that the claim be prosecuted, by or against one or more of the persons who have the same interest as the representatives of any other person who has that interest.
Lord Leggatt first provided an in-depth analysis of class actions in English law with an explanation of previous case law and the treatment of representative actions in the Commonwealth.
He acknowledged that the development of digital technology adds to the potential for mass harm, and therefore it is necessary to balance the inconvenience or inability to litigate multiple individual claims with a similar inconvenience or inability to each potential plaintiff a party to a claim.
He then explained that the ability to claim damages in representative proceedings is limited by the compensatory principle whereby damages are awarded in such a way as to place plaintiffs in the position in which they would have been if the wrong had not taken place. Doing so often requires individualized assessments. It was significant that Warby J discovered that “…some of the people involved were ‘super users’ – heavy Internet users. They will have been “victims” of multiple failures, with considerable amounts of [browser generated information] taken and used throughout the Relevant Period. Others will have had very little activity on the Internet”.
Mr. Lloyd, as Sole Representative, did not share the same interest as all affected persons in Google’s breach of duty and therefore could not bring representative action on behalf of other affected persons.
The lowest common denominator
Mr Lloyd had also identified an “irreducible minimum harm” suffered by each member of the class he sought to represent and argued that this could provide the basis on which damages are awarded. This threshold of “minimum irreducible harm” could be reached if an individual had had access to
a website participating in Google’s DoubleClick advertising service on one occasion.
Lord Leggatt summed up the lowest common denominator as “someone whose internet usage – except for a visit to a single website – has not been illicitly tracked and aggregated and who does not ‘has received no targeted advertising as a result of receiving the DoubleClick Ad cookie’. On this basis, however, there would be no evidence that Google collected or used personal data relating to this person to found a claim for damages.
Claim damages for loss of control
Instead of showing material damage for each individual, Mr Lloyd asserted that an individual is entitled to recover compensation under Section 13 DPA 1998 whenever a controller fails to comply with any of the requirements of the DPA 1998 in respect of the personal data of which that individual is the subject, provided that the contravention is not trivial or de minimis.
Article 13 of the Data Protection Act:
13 (1) A person who suffers damage as a result of a breach by a controller of any of the requirements of this Act is entitled to compensation from the controller for that damage.
(2) A person who suffers distress due to a breach by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if:
a) The individual also suffers harm as a result of the contravention, or
(b) The infringement relates to the processing of personal data for a particular purpose.
When analyzing the wording of the law, Lord Leggatt said that it “distinguishes between ‘harm’ suffered by an individual and a ‘breach’ of a requirement of the law by a data controller, and provides for a right to compensation “for such damage”. only if the “damage” occurs “due to” the contravention.
He then looked to EU law and Article 23 of the Data Protection Directive, which Section 13 of the DPA 1998 was meant to implement, to determine whether the term “damage ” in article 23 could be interpreted as extending beyond property damage and distress. . He concluded that there was no reason to give the term “damage” a broader interpretation since no authority had been cited in favor of such an interpretation, nor generally in the law of the EU nor in the specific context of Article 23, nor had it been asserted that any laws had done so.
And then ?
This case is undoubtedly a blow to claimants seeking to bring claims for damages in England and Wales for breach of data protection law. While Lord Leggatt considered only the legal provisions of the DPA 1998, which were superseded by the Data Protection Act 2018 (“DPA 2018”) following the introduction of the General Data Protection Regulation (the “GDPR”), in many respects the provisions of the DPA 2018 are no different from the statutory regime it replaced. Again, a distinction is made in the GDPR between the act causing the damage and the damage itself. In these respects, although debatable, it would not be unreasonable to expect the UK courts to take a similar approach under the new legislation to the approach taken in Mr Lloyd’s claim .
As members of the public become more aware of their data protection rights and litigation on this topic is on the rise, this case may also stem the tide of class action lawsuits and minor data breach claims currently underway. course, in particular because it could make third-party funders and ATE insurers more cautious in handling such cases. Even as the plaintiffs struggle to find a way around the representative class issue, this case also has a broader bearing on data protection claims more generally, as it demonstrates that damages cannot not be claimed for loss of control in general and that claims must be material and provide actual evidence of damage.
Lloyd vs. Google joins a number of recent court rulings on triviality and other causes of action that are commonly invoked in addition to breach of data protection laws (see, for example, our own blog on Warren v DSG Retail Ltd  EWHC 2168 (QB) and The Inadvertent Data Breach blog published on January 20, 2022. Hopefully, given this trend in courtrooms, plaintiffs will begin to take a more targeted approach, reducing the number of speculative or trivial claims and focusing their firepower on the toughest ones. or flagrant violations and where there is something really worth fighting for.
 Lloyd v Google LLC  EWHC 2599 (QB)
 Lloyd v Google LLC  EWCA Civil 1599a
Antonia Halliwell, trainee lawyer at Squire Patton Boggs, contributed to this article.
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 32