Skip to content

Beyond Lloyd v Google: Are class actions for data breach dead?

Author
Susanna Charlwood

Partner

London

View profile →

Glugla Catharina
Catharina Glugla

Senior Associate

Duesseldorf

View profile →

van der Leeuw-Veiksha Anna
Anna van der Leeuw-Veiksha

Professional Support Lawyer

Amsterdam

View profile →

Image of Jason Rix
Jason Rix

Senior Prof Support Lawyer

London

View profile →

29 November 2021

The decision of the UK Supreme Court in Lloyd v Google is a welcome relief for data controllers. However, is it the end of class actions for data breach?

The case of Lloyd v Google was an attempt to construct an “opt out” class action based on a data breach – the placing of certain cookies on iPhone users’ devices without their knowledge or consent, and the alleged commercial use of valuable data it was claimed had been gathered. Had Mr Lloyd succeeded before the UK Supreme Court, he would have opened the flood gates to class actions, with very high numbers attached (Mr Lloyd’s claim indicated GBP3 billion in damages), against data controllers who contravened data protection legislation. But he did not succeed.

As a follow up to our earlier commentary, in this note, we analyse the flaws found in Mr Lloyd’s case, review certain pertinent developments in Europe concerning the right to compensation for data breach, and consider what this all means for the future of data breach class actions.

 

The flaws in Mr Lloyd’s claim

The claim concerned the alleged use, by Google, of the so-called “Safari workaround” to bypass privacy settings on Apple iPhones used during 2011-12. The Safari internet explorer had default settings that blocked all third party cookies (packets of data used to gather information about web use). However, during the relevant period, Apple devised certain exceptions that allowed Google to place a particular cookie, the “DoubleClick Ad cookie” on devices when users visited certain websites. It was alleged that, in this way, Google gathered information about individuals’ web use and other data, and then offered it to advertisers to enable them better to target their advertising.
 
An opt-out, representative action may be pursued where the representative – in this case Mr Lloyd – is able to establish that each member of the class he represents has the “same interest” in the claim. If such “same interest” is established, a determination of an issue in the claim is then binding on all members of the represented class without the need for members individually to participate in the proceedings. In order to meet this “same interest” criterion, the success of Mr Lloyd’s representative action was critically dependent on establishing that an individual is entitled to compensation for a (non-trivial) contravention of the Data Protection Act 1998 (DPA 1998) without the need to prove that the individual suffered any financial loss or distress. On that basis, it was said that damages could, and should, be awarded on a uniform per capita basis to each member of the class he represented without the need to prove any facts particular to each member of the class. Alternatively, Mr Lloyd claimed that each member of the class was entitled to damages assessed as an amount that they could reasonably have charged for releasing Google from the duties it was alleged to have breached. By putting his case in this way, Mr Lloyd sought to avoid the administrative complications and cost consequences of mounting a case in which over four million individuals would otherwise need to have their particular circumstances identified and evidenced.
 
The UK Supreme Court unanimously, and robustly, rejected the proposition that compensation was payable for contravention of the DPA 1998 without proof of damage. It found that there was no basis on which to conclude that the term “damage” in section 13(1) of the DPA 1998 extended beyond material damage or (as decided in Vidal Hall v Google [2015] EWCA Civ 311) distress. Further, the UK Supreme Court found no basis in EU Law (the DPA 1998 deriving from the Data Protection Directive 95/46/EC (DPD)) to conclude that there is a right to compensation for unlawful processing without proof of material damage or distress.

 

Comparing the GDPR and its predecessor: What does “non-material damage” mean?

Lloyd v Google was a claim brought under the DPA 1998; it did not concern, and the UK Supreme Court avoided addressing, its successor the General Data Protection Regulation (EU) 2016/679 (GDPR). So will the relief felt on the UK Supreme Court’s recent decision be short lived given the terms of the GDPR?

Article 23(1) of the DPD provides:

“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”

“Damage” is interpreted as including distress.

Article 82(1) of the GDPR, however, reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

Further, Recital 85 of the GDPR, which relates to breach notification, reads:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

Recital 146 which concerns the obligation to compensate for damage, on the other hand, does not contain any reference to “loss of control”.

The obvious question is therefore, what does “non-material damage” mean and does the reference to “loss of control” in Recital 85 indicate that a contravention of the GDPR without proof that an individual has suffered any damage is sufficient to give rise to a right to compensation? 

The English court has not yet had to consider this issue. However, having been paused by consent pending the Lloyd v Google decision, an opt-out representative claim against TikTok, under the GDPR, is now reported to be proceeding. There are certain differences between this claim and the failed one against Google. But it is worth noting one point made by the UK Supreme Court in rejecting the right to claim damages for mere loss of control. The UK Supreme Court highlighted that “the wording of section 13(1) draws a distinction between ‘damage’ suffered by an individual and a ‘contravention’ of a requirement of the Act by a data controller and provides a right to compensation ‘for that damage’ only if the ‘damage’ occurs ‘by reason of’the contravention”. This wording, it said, “is inconsistent with an entitlement to compensation based solely on proof of the contravention”. The same logic can be applied to Article 82 of the GDPR which talks about “infringement” and “damage”. The UK Supreme Court also held that there was nothing in the European Convention on Human Rights nor the Charter on the Fundamental Rights of the European Union that required compensation for loss of control. This point also still stands in relation to the GDPR.

It is also important, though, to watch what is happening in the EU. There have been a number of cases in certain European Member State courts that have considered the meaning of “non-material damage” and some have concluded that contravention of the GDPR alone is sufficient to entitle compensation. If this were to become the established position as a matter of EU law, it could expose those who might be sued in Member States’ courts to larger scale actions. It would also put pressure on the English court and/or the UK Parliament to follow a similar approach.

 

European developments to watch

Austria 

Of most significance is an Austrian case that, in April this year, resulted in a reference to the Court of Justice of the European Union (Court of Justice) on the question of what constitutes “non-material damage”. The case was brought by an individual affected by data privacy breaches by Österreichische Post (the Austrian postal service) stemming from the processing and selling of information on the political affiliation of Austrians for which the postal service was fined EUR18m by the Austrian data protection authority. His claim, for EUR1,000 in compensation, was rejected by Austria’s Supreme Court who were of the view that the EU legislator had not intended compensation to be payable for minimal impact on an individual’s emotional state. However, it referred the following questions to the Court of Justice (C-300/21): 
  1. Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation? 
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence? 
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement? 
It is likely to be at least 12-18 months before the Court of Justice reaches its decision. That decision will be binding on the courts of all EU Member States and the English court, post Brexit, “may have regard” to it.
 

Germany 

In Germany there are mixed views on the threshold for compensation for data breach. Some courts and legal scholars favour a traditional approach where compensation for non-material damage would be the exception, not the rule; others have awarded damages in respect of data violations on the basis that the breach alone was sufficient and it was unnecessary for the data subject to prove they suffered damage or, where proven, that it was caused by the data violation. 

For example, on 5 March 2020 the Labour Court of Dusseldorf (9 Ca 6557/18, German only) awarded EUR5,000 to an employee as compensation for non-material damage arising from their employer’s failure to comply with their right of access request under Article 15 of the GDPR, but without any substantive discussion of what “non-material damage” meant. On 26 May 2020, the Regional Court of Darmstadt (13 O 244/19) ordered a company to pay EUR1,000 for the non-material damage caused by mistakenly sending an email to the wrong person. In doing so, the loss of control over who has access to personal data was recognised as constituting non-material damage under the GDPR. The Federal Labour Court decided on 26 August 2021 (8 AZR 253/20 (A), German only) that the mere breach of the GDPR can amount to non-material damage under Article 82 of the GDPR. The court decided, contrary to the normal position under German civil law, that the claimant did not have to prove actual damage (be it material or non-material) or that the breach caused the damage.

 

Netherlands 

The courts in the Netherlands have been reluctant to allow claims for non-material damage for violations of privacy and data protection law.
 
On 1 April 2020, the highest administrative court of the Netherlands, the Raad van State (Council of State or the RvS) issued four decisions relating to claims by individuals for damages they purportedly suffered due to violations of the GDPR.
 
Three of these cases (available in Dutch here, here and here) concerned municipalities placing personal data on a closed internet forum without the data subject’s consent. In these cases, the RvS overturned earlier judgments that had awarded damages for the unlawful disclosure of personal data. The RvS noted that a mere violation of the claimant’s fundamental right to data protection does not automatically give rise to damages. The RvS held that the burden of proof to demonstrate damages remained with the claimants, who must provide sufficient evidence that they suffered loss, impairment to integrity or other adverse consequences. Furthermore, the RvS held that only the name and address of the data subject had been shared on the forum and there were no indications that the data had been misused.
 
The RvS also confirmed that the GDPR does not set out how the amount of non-material damages should be calculated, and noted that the Court of Justice had not ruled on this issue. The RvS held that the GDPR does not require damages to be punitive, and that damages should instead be compensatory, for the actual harm suffered.
 
The fourth case (available in Dutch here) concerned sensitive medical data that had been disclosed to a complaints board without the individual’s consent. The RvS upheld the decision to compensate and, having examined the nature, gravity and duration of the violation, increased the award from EUR300 to EUR500. The RvS noted that the violation related to sensitive personal data that is afforded a higher level of protection under Article 9 of the GDPR and emphasised that the adverse effects of sharing that special category of data are evident, so the claimant was not required to prove them.
 
Reflecting on these cases, the head of the Dutch supervisory authority suggested that GDPR violations be considered serious (a requirement of the Dutch Civil Code and existing case law for compensation) without any proof of harm if they concern sensitive personal data or are a result of the wilful or grossly negligent acts of the controller.
 
In a more recent decision of a lower court (the District Court of Noord-Nederland), issued on 12 January 2021, a municipality mistakenly published personal data (including name, address, telephone number, email address and national identification number) on its website. The court found that psychological discomfort, such as temporary feelings of stress or anxiety, was insufficient on its own to award compensation for non-material damage. The court did, however, rule that the municipality violated the privacy of the claimant by repeatedly publishing their data and that the adverse consequences of which, such as identity fraud, were obvious. The claimant was therefore eligible for EUR500 in compensation for non-material damage. In a seemingly similar case, however, on 7 April 2021, the Court of Gelderland rejected a claim for non-material damage by a claimant whose personal data (including bank statements and a copy of identification document) was stolen by a hacker following a cybersecurity breach. The court concluded that the claimant was not entitled to compensation for non-material damage as they had not substantiated “in concrete terms” how the distress from the data breach was manifested: there was no proof that the data involved in the hack was actually misused, and there was a clear evidence that the data had not ended up in the wrong hands.
 
As to collective action in the Netherlands, even though the courts have been reluctant to award compensation for non-material damage, we have seen a growing trend of collective actions being filed against organisations for alleged data protection and privacy violations. These are typically brought by consumer or non-profit organisations. There are currently cases pending against Oracle, Salesforce and TikTok, among others.
 

Conclusion 

There is undoubtedly therefore a further issue to be resolved: whether the GDPR creates a right to compensation without proof of actual damage and/or in what circumstances it should be assumed that certain types of damage (such as exposure to identity theft) should be found and compensated. The outcome of the reference to the Court of Justice will be very significant.

Returning to the English position, in particular, and the scope for mass data breach claims here, the UK Supreme Court’s judgment in Lloyd v Google contained another point of some comfort. This is that even if it were correct that no material damage or distress must be proven and that an opt out class action can be pursued claiming a minimum sum for each member of the class, it would be necessary still to establish that non-trivial unlawful processing of the data of each member of the class actually occurred. The class asserted by Mr Lloyd’s claim was anyone that owned a particular model of iPhone running a particular version of the Safari internet browser and who, during the relevant period, accessed a website that was participating in Google’s DoubleClick advertising service. To be part of the class, it was therefore not necessary to have made any repeat visits to such websites or to have had internet usage tracked or collated or even to have received targeted advertising based on the use of the DoubleClick Ad cookie. The Supreme Court found that membership of this class was therefore not sufficient to cross the threshold of a non-trivial contravention – a threshold which Mr Lloyd had accepted existed. Whilst this issue was particular to the facts of the particular data breach and the way in which the class represented by Mr Lloyd had been identified, it nevertheless indicates another issue that those who wish to pursue data breach class actions will need to consider.

The decision of the Supreme Court in Lloyd v Google is undoubtedly a big blow to data breach class actions in England. Whilst possibilities remain for the revival of such claims – in particular the possibility that the GDPR may be interpreted as requiring compensation in broader circumstances, which is the focus of this article, we think it will be some time before the UK Supreme Court (who will undoubtedly hear any such case) is asked to address an attempt to bring an opt out class action under the GDPR. In circumstances where the UK government has, since the Supreme Court’s decision, indicated that it has no plans to review its decision earlier this year not to introduce a new collective redress mechanism for data breach victims, we think data controllers can feel somewhat reassured.