Lloyd v Google: implications for funding mass data breach claims

In the third of our series on the Supreme Court’s decision in Lloyd v Google, we place the judgment in context and consider its implications from a litigation funding perspective.

The case concerned Google’s use of a technical workaround to bypass cookie settings on the Safari browser and track usage without individuals’ knowledge or consent. Backed by litigation funding, Mr Lloyd sought to bring a representative action against Google pursuant to the Data Protection Act 1998 on behalf of over four million iPhone users. 

A judgment in Mr Lloyd’s favour would have galvanised the representative actions regime in the field of data protection and beyond. It would have effectively established an “opt-out” data protection class action regime, in which claimants and funders could sue on behalf of large classes of affected individuals whether or not those individuals had (a) actively consented to a claim being commenced on their behalf or (b) suffered any financial loss or distress. The value of those claims, while very small individually, would be potentially huge when aggregated, and the complexity and cost of preparing them for trial (or progressing them to a settlement) would be a fraction of the potential total recoveries.

The Lloyd judgment frustrated those hopes on three fronts:

• it found that the Data Protection Act 1998 did not entitle claimants to compensation simply for the loss of control of their personal data. Claims still need to be supported by evidence of financial damage and/or distress;
• more broadly, it found that in any case where an individualised assessment of damages is required in order to establish what loss the claimant has suffered, use of the representative action regime will not be permitted. In effect, the Court said that in such cases, it cannot simply assume that all of the represented individuals have suffered the same loss as the person claiming to represent them – each case must be individually assessed and proven; and
• the Court also cast doubt on how a funder’s entitlement to payments from any damages recovered could be established without the individual consent of all class members (some of whom, particularly in large classes, would likely not even be aware of the claim).

What options remain for claimants and funders looking to bring a data protection group action?

First, there are still potential ways in which the representative actions regime could be applied in data protection cases:

• “bifurcated” claims structured in two parts: first, a representative action to establish common issues of law or fact in order to obtain a declaration from the Court that the defendant is liable; and second, follow-on individual claims to quantify the amount of the defendant’s liability to each claimant. The Supreme Court discussed this possibility in the Lloyd judgment; and
• claims under the GDPR or UK GDPR: Mr Lloyd’s claim was brought under the Data Protection Act 1998. The outcome would not necessarily be the same for a claim under the GDPR or UK GDPR, both of which contain recitals which appear to acknowledge loss of control of personal data as a separate, recoverable loss from financial loss and distress.

Second, claimants and funders could explore the other mechanism available under English law for mass redress: the group actions regime under Civil Procedure Rule 19.11. This requires the “opt-in” of each individual claimant and the initial preparation of claims can be time and labour-intensive. However, the regime is flexible and the Court will consider, for example, taking a small number of “lead” cases to trial before the main body of claims in order to minimise costs and encourage settlement by determining key points of dispute at an earlier stage. 

Third, some claims could be presented not as pure data protection law breaches, but as competition law breaches falling within the competition collective proceedings regime. The regime is particularly buoyant since the Supreme Court’s judgment in Merricks and five collective proceedings applications have been certified to proceed within the past year. In future, the government could decide to broaden the scope of statutory “opt-out” procedures specifically for data protection claims as well. However, that does not appear imminent given it declined to do so as recently as February 2021 and made no mention of such an extended regime in its consultation on data protection reform in September 2021. 

In short, while the Lloyd v Google judgment represents a setback for mass data breach claims in this jurisdiction, it has not eliminated them. For instance, a proposed opt-out representative action against TikTok under the UK GDPR has been maintained, with a strike-out hearing due in mid-June 2022. This, among other cases brought in the wake of Lloyd v Google, will be followed with interest.

Please find the first two articles in the series available via:

• Part one: No claim for loss of control of personal data without financial damage or distress, Fred Snowball (macfarlanes.com) 
• Part two: Where next for mass “opt out” claims in England & Wales?, Simon Day, Fred Snowball, Michael Freedman (macfarlanes.com)