The Way The (Data) Cookie Crumbled: Lloyd v Google LLC, and How Australia is Tackling Privacy and Data Breach Litigation

Amy Cooper-Boast and Brooke Hall-Carney

Judgment was recently handed down by the Supreme Court (the UK’s final court of appeal for civil cases) in the important decision of Lloyd v Google LLC [2021] UKSC 50; [2021] 3 WLR 1268. The decision challenges the notion that one’s data and its loss of control has an inherent value which is actionable in its own right. It will be welcomed by Big Tech, other organisations that control data, and their insurers. The decision is a key case in the broader landscape of accountability of technology companies, and is indicative of the disparity in data protection and privacy rights across different jurisdictions. So, how does the data cookie crumble in Australia?

Overview

Google was alleged to have secretly tracked and collected the data of some four million Apple iPhone users in 2011-2012, without their knowledge or consent. This involved Google allegedly bypassing Safari’s default privacy settings, using third-party cookies to track browser-generated information, and then profiling and aggregating the information for sale for targeted advertising purposes, based on users’ interests, characteristics or beliefs.

The critical question raised by the appeal was whether compensatory damages could be claimed from Google for breaches of data protection legislation through the means of a representative claim, without providing proof of the loss incurred by each one of the millions of affected individuals. The decision of the lower appellate Court, which found in the claimant’s favour, had been seen as a boon for mass data breach claims and litigation funders. In a unanimous decision, the Supreme Court found in favour of Google, holding that individualised proof was required, for each and every iPhone user in the represented class, of both:

  • unlawful data processing by Google; and
  • the suffering of financial loss or mental distress as a result.

The Supreme Court’s judgment has implications for other mass data infringement actions on foot in the UK, which are reliant on the same representative procedure. This includes claims against Facebook, TikTok, Google-owned YouTube and other large digital platforms, many of which were stayed pending the outcome of Lloyd v Google LLC. The future prospects, and funding, of these claims remains to be seen as proceedings progress. The Supreme Court made clear that the representative procedure requires individualised loss assessment in the usual course, making it ill-suited to damages claims for mass infringements of data rights which seek to avoid that task.  However, the decision was also decided upon s 13 of the Data Protection Act 1998 (UK) (DPA), which has now been repealed and replaced by the UK General Data Protection Regulation (GDPR) regime. There remains some scope for litigants to seek to test mass claims for data rights infringement before the courts under the UK GDPR.

In the US, unlike the UK, consumer class actions for privacy and data breaches are nothing new.  In Australia, although a broad class action regime is in place, direct rights of action for breaches of data rights do not (yet) exist. However, the Australian Government is honing in on data protection and privacy through both changes to laws and available remedies, and increased enforcement attention from regulators.

The claim: an “Unusual Procedure” and an attempt to “Break New Legal Ground”

Mr Richard Lloyd issued a claim against Google LLC seeking compensation under the DPA s 13 for breaches of duties owed as a data controller under s4(4). The claim was backed by a commercial litigation funder.  Google has previously settled other actions in the US and the UK based on the same factual allegations (advertising tracking cookies used on iPhones and the ‘Safari workaround’). This proceeding was distinctive, however, for reasons of both procedure and principle:

  • First, the claimant attempted to bring what was akin to an ‘opt-out’ style of class action, when there were otherwise very limited avenues for collective redress in the UK. Unlike broader class action regimes available in the US, Canada and Australia, the UK’s statutory class action regime currently only extends to competition law.  The alternative avenue, a Group Litigation Order, was not economically feasible for mass, low-value claims, as the legal costs of ‘opting-in’ would easily exceed the value of a given claim. The claimant had therefore commenced proceedings through “an unusual and innovative use of the representative procedure[1] provided by Rule 19.6 of the Civil Procedure Rules (CPR), on behalf of all four million affected iPhone users in England and Wales. It was not necessary for anyone in the represented class to consent to, or even be aware of, the action – all that was required to bring the action on behalf of others was that each person had the ‘same interest in the claim. While this representative procedure has a long history in England and Wales, it had not been tested on the question of the loss required to be shown in the context of a mass data rights breach.
  • Secondly, the claimant sought to “break new legal ground”.[2] In support of his case that there was no need as a matter of law for loss to be assessed on an individual basis for those represented, he submitted that the principles applicable to the assessment of damages in the tort of misuse of private information also applied to an action for compensation under s 13 of the DPA.[3] This would result in the meaning of “damage” in s 13 extending to consumers’ loss of control over their personal data. On the claimant’ case, a sum such as £750 should be awarded to each represented person on a “uniform per capita basis” for such loss of control. Multiplied by the number of people in the represented class, this would produce a damages award in the order of £3 billion.

Google’s arguments

As Google is a Delaware corporation, the claimant required leave to serve the claim outside the jurisdiction of England and Wales.

Google opposed the application for leave, contending that the claim had no real prospect of success. It argued that individualised proof of loss was required under the DPA s 13, and that the Court should not in any event permit the claim to continue as a representative action.

The decisions below

Leave was refused at first instance, with Warby J observing that the representative claimant “should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated[4].

The Court of Appeal reversed that decision, and described the litigation as the only way of obtaining compensation for the alleged “wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit[5].

Supreme Court’s ruling in Google’s favour

The Supreme Court unanimously allowed Google’s appeal and restored Warby J’s order. The attempt to recover compensation without establishing what, if any, unlawful processing occurred, or what loss was suffered in respect of the individuals involved, was “doomed to fail” (at [8]).

Key finding

In order to recover compensation under the DPA for any given individual, it would be necessary to show that:

  • Google made use of personal data relating to that particular individual, in contravention of any of the requirements of the DPA (where the contravention was more than trivial or de minimis), and
  • as a result of that contravention, the individual suffered ‘material damage’ (such as tangible financial loss) or mental distress (at [8], [138], [144]).

Representative procedure

The Supreme Court observed that the representative procedure under CPR Rule 19.6 was suited to determining initial questions of liability, or damages claims for uniform losses (where, for example, all persons in the represented class had wrongly been charged the same fixed fee). In the ordinary course, however, the representative procedure was subject to the usual common law compensatory principle, which requires assessments of loss for each individual in the represented class (at [80]).[6]

The action against Google was not a case where all persons’ losses would be uniform – there was significant variance in the internet usage, circumstances and attitudes of the iPhone users, and the 17 types of data allegedly collected from them (including sensitive personal data, such as ethnicity and sexuality, in some cases). Since the users were not participating in the proceeding, the need for individual assessment of loss presented an obstacle in the representative claim against Google. As the Supreme Court noted (at [106]-[107]), obtaining evidence for each affected individual would be “incompatible” with the representative claim being asserted.

Privacy tort vs data protection legislation

In seeking to overcome the obstacle posed by individual loss assessment, the claimant’s case was that, given that the tort of misuse of private information[7] and the data protection legislation were both rooted in the same fundamental right to privacy, the same compensatory principles should apply under both regimes. Applying those principles, it was argued, compensation should be payable under s 13 for any breach by Google of the DPA – being an interference with users’ right to privacy and a “loss of control” of their personal data – regardless of whether any separate damage or distress was suffered. This argument was supported by the Information Commissioner, who intervened in the proceedings given their significance, and had been accepted by the Court of Appeal.

The Supreme Court rejected this argument. It was not persuaded by the analogy between the common law privacy tort and the data protection legislation. In view of significant differences in their nature and scope, it was inappropriate to read across the principles governing damages from one regime to the other (at [129], [135]).  Further, as a matter of statutory interpretation, the DPA s 13 could not properly be construed as conferring a right to compensation for breach alone, without proof of the loss caused by the breach (at [113]).  “Damage” under s 13 therefore did not extend to mere “loss of control” over personal data.

Observations

Litigating claims for data misuse

The economics of litigating will be strongly influential in deciding whether, and how, to proceed in claims for data misuse. As noted by the Supreme Court, “the development of digital technologies has added to the potential for mass harm for which legal redress may be sought” (at [67]). Mass data rights breaches will typically affect different consumers in different ways. The ruling in Lloyd v Google LLC that such consumers cannot be compensated in a uniform way impacts the economic viability of pursuing, and funding, such actions under the UK’s representative procedure, at least in the context of a DPA breach.

In data misuse claims generally, the strategy to be employed will be dependent on whether a claim comprises significant actionable loss incurred by a party or any identifiable sub-group, or comprises a large number of smaller-value claims. The viability of a claim from both a claimant and litigation funding perspective requires close examination of the cause(s) of action to be brought, the available procedural regimes, whether there is a need to investigate and establish breach, causation and loss on an individualised (or collective) basis, and the utility of any bifurcated process (in which liability is determined first, and damages claims pursued separately).

The Australian position

In Australia, in contrast to the UK and other jurisdictions, there are currently no direct statutory rights of action enabling litigants (whether in an individual or collective action) to seek damages for infringement of their data rights. There is also no well-established common law tort of invasion of privacy.

However, reform is imminent. The Australian Government is currently undertaking a review of whether the scope and enforcement mechanisms under Australia’s Privacy Act 1988 (Cth) (Privacy Act) remain fit for purpose.[8] Under current consideration are the creation of a direct statutory right of action to litigate claims and seek damages for breaches of the Privacy Act, and a statutory tort for invasion of privacy. The scope of any such causes of action remains to be seen. Key questions arise as to the nature and degree of breach and loss required, whether loss of control of personal information will be actionable in its own right (as argued unsuccessfully in Lloyd v Google LLC), the applicable principles and procedures governing a right to obtain damages, and the availability of any defences. In the meantime, tech giants such as Google are already subject to private litigation before the Australian courts in other areas of law, including competition, consumer and defamation cases, as well as regulator action.

Tightened data privacy and protection laws are also afoot. An exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) proposes a binding online privacy code for social media platforms, data brokerage services and large online platforms (such as Google, Apple, Amazon and Spotify). In addition, the Bill contains significant penalty increases for all entities regulated by the Privacy Act. Maximum civil penalties for bodies corporate would increase to an amount not exceeding the greater of (i) AUD10 million; (ii) three times the value of the benefit obtained from the conduct constituting a serious and/or repeated interference with privacy; or (iii) 10% of annual domestic turnover, if the benefit cannot be determined.

Such reform measures, and the wider privacy law review underway, seek to bring Australia closer into line with data protection frameworks in other jurisdictions, enhance privacy protections, deter misconduct, and increase accountability for data governance and safe practices. This looks set to be achieved by both increasing regulator enforcement, and opening the door to direct litigation by claimants for data and privacy breaches.

[1] [2019] EWCA Civ 1599; [2020] QB 747, [7].

[2] [2021] UKSC 50; [2021] 3 WLR 1268, [108].

[3] In the media phone hacking case of Gulati v MGN Ltd [2015] EWCA Civ 1291; [2017] QB 149, the Court of Appeal affirmed, in respect of the privacy tort, that a court may award damages to compensate a claimant for misuse, and loss of control of the use, of their private information (at [45]).

[4] [2018] EWHC 2599; [2019] 1 WLR 1265, [102]-[104].

[5] [2020] QB 747, [86].

[6] By contrast, under the UK regime permitting class actions for competition law infringements, assessment of loss has been radically altered by statute, and proof of loss suffered by the class as a whole will suffice.

[7] The tort of misuse of private information was not pleaded as part of the claimant’s case. This was presumed (at [106]) to be because establishing liability for the tort would have required evidence to be adduced, in respect of each individual class member, that a reasonable expectation of privacy was held.

[8] See the Australian Government Attorney-General’s Department ‘Privacy Act Review – Terms of Reference’ (October 2020), ‘Privacy Act Review – Issues Paper’ (October 2020) and ‘Privacy Act Review – Discussion Paper’ (October 2021).

Share

Email | Linkedin | Print

Australia

LK Law Pty Ltd
Level 23
25 Grenfell Street
Adelaide 5000
Australia
Visit us | Email us
Telephone: +61 8 8239 4600

London

LK Law LLP
Holborn Gate
26 Southampton Buildings
London WC2A 1AN
United Kingdom
Visit us | Email us
Telephone: +44 20 7400 2180
Back to top