Dr John Sorabji from Nine St John Street Chambers looks at Lloyd v Google LLC  EWCA Civ 1599, a decision which may lead to a new approach to class action litigation – if upheld by the Supreme Court.
The representative action (Civil Procedure Rule (CPR) 19.6) is rarely used as a means to litigate mass claims. The Court of Appeal’s decision in Lloyd v Google may be about to change all that, however. It is fair to say that it is likely to mark a watershed moment, bringing genuine ‘class actions’ to the forefront of mass litigation in England and Wales for the first time. From being rarely used, if the Court of Appeal’s decision is upheld by the Supreme Court, the representative action may become the default means of litigating mass data protection breaches.
Mr Lloyd brought proceedings against Google LLC, alleging breaches of the Data Protection Act 1998 (DPA 1998). He did so on his own behalf and, if permitted by the court, as the representative of approximately four million other individuals (the class) under CPR 19.6. The claim alleged that he and the class had all suffered damage for loss of control of their personal data from the alleged breach. Uniform damages were claimed for each class member, based on what Chancellor of the High Court Sir Geoffrey Vos described as “the lowest common denominator” – that is, they were limited to the same alleged loss, based on the same set of facts, for each class member.
The Court of Appeal decided three fundamental issues.
First, the court considered whether it was necessary, for the purposes of section 13 of the DPA 1998, to prove pecuniary loss or distress in order to obtain damages for a breach of data protection law. This was a question to be answered by reference to European Union (EU) law (see Vidal-Hall v Google Inc  QB 1003).
In Gulati v MGN Ltd (No. 2)  QB 149, the Court of Appeal had held that in claims for misuse of personal information (MPI) damages could be obtained for loss of control over the information, without proof of distress. Both MPI and data protection formed part of the core rights of privacy. As such, it would be inconsistent for the court to adopt different approaches to damages for them. Furthermore, EU law principles of equivalence and effectiveness pointed to the same approach for both, given their common basis in the right to privacy.
Damages were, subject to a de minimis threshold, thus recoverable for loss of control without proof of pecuniary loss or distress (Lloyd at ). This approach was also noted to be consistent with that which is now taken under the General Data Protection Regulation (GDPR) – see its recital 85, and section 169(5) of the Data Protection Act 2018.
In obiter the court went on to conclude that, in principle, “user damages” were also recoverable (One Step (Support) Ltd v Morris-Garner  AC 649).
2. Same interest
The main reason why the representative action has been so rarely used is the requirement that the represented class all have the “same interest” in the litigation. This means they must have suffered the same alleged harm and the same loss, without the possibility of a defendant raising specific defences against their claims.
Mr Lloyd satisfied this test because “lowest common denominator” damages were claimed. This meant the same facts were alleged for each class member. It also meant the same harm was alleged – that is, loss of control over their data – with uniform damages being claimed. As a result, no specific defences could be raised. Furthermore, because uniform damages were being claimed this was the type of claim where, unusually, damages could properly be claimed under the representative action. Where any specific class member wished to claim additional damages, they could “opt out” of the class and seek to be joined as parties to the action in order to claim them.
The Court of Appeal also held that each class member was, as was necessary to bring a representative action, properly identifiable at the outset of the proceedings (Emerald supplies Ltd v British Airways plc  Ch 48).
As the claim would enable compensation to be claimed for what appeared to be “clear, repeated and widespread breaches” of data protection law, it was not disproportionate for the claim to proceed as a representative action. In practice, it was the only way to pursue the claims. The court’s discretion was thus exercised in favour of allowing the claim to proceed as such.
The future: more actions, sub-classes and group litigation orders
If upheld by the Supreme Court, this decision is likely to have a significant impact on data protection claims, as it provides a clear basis for breaches of the DPA 1998 or GDPR involving loss of control of personal data to be taken forward as representative actions.
Where effective litigation funding is in place (either via third party funding or through the use of damages-based agreements) mass small claims for data breaches – which would not or could not be pursued on an opt-in, group litigation order (GLO) basis – will become viable.
Moreover, those claims that would otherwise have been pursued on an opt-in GLO basis, which would typically result in a limited number of victims of alleged breaches coming forward and claiming, can be pursued on an opt-out representative basis.
In both cases, the prospect of effective compensation for all those impacted by data breaches becomes a realistic possibility.
Sub-classes for representative actions
Lloyd v Google also provides a basis for representative actions to be pursued for different levels of damage. On the face of it, the judgment is only authority for lowest-common-denominator damages to be claimed on a uniform-damages basis. However, it is well-established that representative actions can be pursued by dividing the represented class into sub-classes (Duke of Bedford v Ellis  AC 1).
Imagine that a data breach resulted in a company losing control of two classes of data:
- Class A involves the loss of the class members’ names, addresses, email addresses and phone numbers
- Class B involves exactly the same loss and, additionally, the loss of its members’ credit card details.
Class A would be the lowest common denominator. Class B would be the lowest common denominator plus, or it could be described as the middle common denominator. In both cases, it can properly be said that the two classes have the “same interest”. The same facts, legal issues and defences will apply to both classes. The only thing that differentiates them will be the damages claimed. However, for both classes, or rather sub-classes, uniform damages could be claimed.
With large amounts of individuals’ data being held by companies (as is apparent from recent high-profile data breaches) it is highly likely that alleged victims could properly be divided into sub-classes in this way. If Lloyd v Google was “an unusual and innovative use of the representative procedure” (Lloyd at ), expect to see more innovation in claims for lowest-, middle- and, perhaps, highest-common-denominator uniform damages in the future.
And where individual class members opt out in order to claim higher individual damages based on their individual circumstances, as Sir Geoffrey Vos stated in Lloyd, we may well see the courts have to grapple with the issue of combining a representative action with a GLO – if the numbers who opt out in this way are significant.
Whichever way you look at it, data protection is likely to see the rebirth of the representative action. And that in turn may bring decade-old reform proposals back into the spotlight, so as to increase access to justice for mass small claims.