. The irony about the case is that there has been unanimity about the result at every judicial stage, and yet now the case has landed on one of those long snakes and it is back to the bottom of the board – and, with the limitation period long gone, it has simply run out of steam.
The facts
The basic facts are well known. Mr Lloyd had brought a representative action against Google because it was said that Google had surreptitiously tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent. A previous case had been brought by a number of individuals and had been settled. Both cases had required to be served outside of the jurisdiction and Google objected on the basis that the Lloyd case did not meet the required hurdles for such a claim – essentially, it did not have sufficient prospects of success.
The limited nature of the claim
An important aspect of the Lloyd case is that the only justification for an award of damages was the purported breach of section 13 of the Data Protection Act. This section required the showing of damage. The claimant’s argument on damage was that it was permissible to seek a uniform amount of damage on a per capita basis in relation to the loss of control of the data – without the need for the showing of any particular loss. The Court of Appeal described this approach as a “lowest common denominator” approach and accepted that it necessarily followed that some claimants -who would be able to show material damage – would essentially have to accept that their representative was not pursuing additional claims. In circumstances where the represented claimants had not given authority either to be represented – or to have their claims ignored – the uniform per capita approach appeared at best to be a pragmatic solution to the argument on loss..
What the case did not decide
Lord Leggatt did not dismiss out of hand the concept of asserting a nominal per capita amount (which he probably would have been able to do without too much difficulty) but that was because he did not need to – the claims, as asserted, simply had not been proved and so no amount of damage – on a per capita basis or indeed on any other basis – was available. Lord Leggatt also did not rule that the claims could not have been formulated as a representative claim. He did not find that differences within a represented group necessarily meant that a representative claim was not possible as a matter of law. He did not found his judgment on the “similar interest” requirement. Equally, the fact that damages was the required remedy was not a bar to the proceeding.
Mr Lloyd could have pursued a representative claim alleging the misuse of private information, or a breach of section 13, but what he did need to do was to plead the claim out and explain what Google had done wrong on an individual by individual basis. Of course, Mr Lloyd was not going to be able to do that, and his funder backers were not going to be willing to give him the budget to find out. But there is nothing wrong as a matter of principle in requiring precisely that he do that – the counter argument is, in brief, that a large group cannot be expected to prove these ingredients to complicated claims and so they can be dispensed with on the basis that the mere failure to process data correctly gives rise to a claim. Such a short cut is not available to data protection claims in the English courts, and nor should it be. There was of course an acknowledgement, perhaps through gritted teeth, that there was such an opportunity in the realm of competition claims, post Merricks,but it was evident that, absent Parliamentary intervention, there were no free passes in other disciplines. Even EU law could not come to the claimant’s aid because the available EU precedent did not avail the claimant on the basis that “damage” within the English data protection legislation meant something over and above the mere fact of the contravention or the breach of the underlying requirements.
The future of representative claims in the English courts
Lord Leggatt’s analysis of the available remedies for the class in this case made a number of points very clearly – firstly, the representative route arguably allowed for an “opt out” claim in circumstances where a group litigation order (the obvious alternative) only catered for “opt in” claims. Second, a bifurcated approach to the claim – seeking a declaration first and then proceeding to the quantum stage – could never be expected to work in relation to low value claims or claims where there was an appreciable risk that potential class members would not engage in the process. Third, a representative claim is going to encounter very real difficulties in proceeding if there is going to be a need for an individualised approach to the question of damages. In reality, this is because the Court is going to get bogged down in individual claims when it should be dealing solely with a representative. This is why the best representative actions are either for non-monetary claims like declarations or for the return of a fixed amount that is certain at the time of the claim – the return of a deposit or a fee.
Tying all this together, it is certainly not the case that the representative action – admittedly much underused – is now consigned to the judicial and procedural dustbin. All that has happened is that, yet again, a claim has been characterised as being fit to be a representative claim when it was not, in truth, ever suitable. It is not all that often that a unanimous Supreme Court has overturned a unanimous Court of Appeal, but it is perhaps a function of the yo-yo like nature of the attempts within the English judicial system to exercise its discretion in a principled and proper way in the field of consumer claims. The Lloyd case stands for the unobjectionable proposition that a claimant is going to have to prove that he/she has suffered specific damage in connection with the data loss – and he/she is going to have to show that on an individualised basis and cannot just say “I am not able or willing to do that so I am just going to choose an amount that I think is fair”. Whilst the attitudes to collective redress have been changing, they certainly have not changed to that extent.
From a funder’s perspective, data breach claims that are to be litigated in England need to be approached in the same way as any other collective group claim – you need to be able to demonstrate that each claimant has suffered a loss. This needs to be proved on an individualised basis. This does not mean that there will not now be data breach claims, but it means that those claims will be funded only on behalf of claimants who have genuinely suffered losses that are amenable to being compensated by the law. Such a result does not seem unreasonable – and indeed were it possible to proceed on the basis of simply accepting that damage flows from breach, you unacceptably omit the key criterion of causation.
In practice, it seems likely that English law representative claims will be confined to the type of situation where the representative has always been the representative of the group – ie both the representative and the group existed at the time of the accrual of the action. The underlying criticism of the Lloyd case – perhaps most graphically set out by Warby J– was that there was something inherently unattractive about both the representative and the group conveniently appearing long after the event, and possibly because funders and entrepreneurial law firms had thought that it was a good idea. As it was, Lord Leggatt could leave this issue out of account – he simply proceeded on the basis that the claim had no real prospect of success. Perhaps the issue will come along again to be examined by the English Courts when such claims clearly do have very real prospects of success but a fair reading of his speech is that justice would not be denied in those circumstances just because of the presence of a funder or an entrepreneurial law firm.
And, in honour of the US detective Columbo, just one more thing. The case was brought in the pre-GDPR (General Data Protection Regulation) era – it remains a very open question as to whether the English Court could have taken precisely the same approach if the focus of the judgment was the GDPR – this is because the GDPR specifically refers to the fundamental right for an individual to control his/her data and, importantly, under Article 82, provides that an individual can seek compensation in the case of non-material damage. You can see that an English Court will still wish to ensure that the concepts of causation and loss are addressed, but there are certainly some chinks in the armour…perhaps those funders and entrepreneurial law firms will still find a way…
It should be said, of course, that the EU’s new Directive on consumer representative actions that is being implemented throughout Europe over the next 18 months will mean that the divide between consumer protection in and outside of the EU will become even starker. The UK does not of course, post-Brexit, need to implement the Directive, and although the Government recently consulted on changes to the data protection legislation in respect of representative action, the questions in the consultation certainly didn’t give the impression that there was any desire to change the damages framework that underpinned Lord Leggatt’s reasoning.