Beyond Lloyd v Google: Are class actions for data breach dead?
29 November 2021
The case of Lloyd v Google was an attempt to construct an “opt out” class action based on a data breach – the placing of certain cookies on iPhone users’ devices without their knowledge or consent, and the alleged commercial use of valuable data it was claimed had been gathered. Had Mr Lloyd succeeded before the UK Supreme Court, he would have opened the flood gates to class actions, with very high numbers attached (Mr Lloyd’s claim indicated GBP3 billion in damages), against data controllers who contravened data protection legislation. But he did not succeed.
As a follow up to our earlier commentary, in this note, we analyse the flaws found in Mr Lloyd’s case, review certain pertinent developments in Europe concerning the right to compensation for data breach, and consider what this all means for the future of data breach class actions.
The flaws in Mr Lloyd’s claim
Comparing the GDPR and its predecessor: What does “non-material damage” mean?
Lloyd v Google was a claim brought under the DPA 1998; it did not concern, and the UK Supreme Court avoided addressing, its successor the General Data Protection Regulation (EU) 2016/679 (GDPR). So will the relief felt on the UK Supreme Court’s recent decision be short lived given the terms of the GDPR?
Article 23(1) of the DPD provides:
“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”
“Damage” is interpreted as including distress.
Article 82(1) of the GDPR, however, reads:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Further, Recital 85 of the GDPR, which relates to breach notification, reads:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
Recital 146 which concerns the obligation to compensate for damage, on the other hand, does not contain any reference to “loss of control”.
The obvious question is therefore, what does “non-material damage” mean and does the reference to “loss of control” in Recital 85 indicate that a contravention of the GDPR without proof that an individual has suffered any damage is sufficient to give rise to a right to compensation?
The English court has not yet had to consider this issue. However, having been paused by consent pending the Lloyd v Google decision, an opt-out representative claim against TikTok, under the GDPR, is now reported to be proceeding. There are certain differences between this claim and the failed one against Google. But it is worth noting one point made by the UK Supreme Court in rejecting the right to claim damages for mere loss of control. The UK Supreme Court highlighted that “the wording of section 13(1) draws a distinction between ‘damage’ suffered by an individual and a ‘contravention’ of a requirement of the Act by a data controller and provides a right to compensation ‘for that damage’ only if the ‘damage’ occurs ‘by reason of’the contravention”. This wording, it said, “is inconsistent with an entitlement to compensation based solely on proof of the contravention”. The same logic can be applied to Article 82 of the GDPR which talks about “infringement” and “damage”. The UK Supreme Court also held that there was nothing in the European Convention on Human Rights nor the Charter on the Fundamental Rights of the European Union that required compensation for loss of control. This point also still stands in relation to the GDPR.
It is also important, though, to watch what is happening in the EU. There have been a number of cases in certain European Member State courts that have considered the meaning of “non-material damage” and some have concluded that contravention of the GDPR alone is sufficient to entitle compensation. If this were to become the established position as a matter of EU law, it could expose those who might be sued in Member States’ courts to larger scale actions. It would also put pressure on the English court and/or the UK Parliament to follow a similar approach.
European developments to watch
- Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
In Germany there are mixed views on the threshold for compensation for data breach. Some courts and legal scholars favour a traditional approach where compensation for non-material damage would be the exception, not the rule; others have awarded damages in respect of data violations on the basis that the breach alone was sufficient and it was unnecessary for the data subject to prove they suffered damage or, where proven, that it was caused by the data violation.
For example, on 5 March 2020 the Labour Court of Dusseldorf (9 Ca 6557/18, German only) awarded EUR5,000 to an employee as compensation for non-material damage arising from their employer’s failure to comply with their right of access request under Article 15 of the GDPR, but without any substantive discussion of what “non-material damage” meant. On 26 May 2020, the Regional Court of Darmstadt (13 O 244/19) ordered a company to pay EUR1,000 for the non-material damage caused by mistakenly sending an email to the wrong person. In doing so, the loss of control over who has access to personal data was recognised as constituting non-material damage under the GDPR. The Federal Labour Court decided on 26 August 2021 (8 AZR 253/20 (A), German only) that the mere breach of the GDPR can amount to non-material damage under Article 82 of the GDPR. The court decided, contrary to the normal position under German civil law, that the claimant did not have to prove actual damage (be it material or non-material) or that the breach caused the damage.
There is undoubtedly therefore a further issue to be resolved: whether the GDPR creates a right to compensation without proof of actual damage and/or in what circumstances it should be assumed that certain types of damage (such as exposure to identity theft) should be found and compensated. The outcome of the reference to the Court of Justice will be very significant.
Returning to the English position, in particular, and the scope for mass data breach claims here, the UK Supreme Court’s judgment in Lloyd v Google contained another point of some comfort. This is that even if it were correct that no material damage or distress must be proven and that an opt out class action can be pursued claiming a minimum sum for each member of the class, it would be necessary still to establish that non-trivial unlawful processing of the data of each member of the class actually occurred. The class asserted by Mr Lloyd’s claim was anyone that owned a particular model of iPhone running a particular version of the Safari internet browser and who, during the relevant period, accessed a website that was participating in Google’s DoubleClick advertising service. To be part of the class, it was therefore not necessary to have made any repeat visits to such websites or to have had internet usage tracked or collated or even to have received targeted advertising based on the use of the DoubleClick Ad cookie. The Supreme Court found that membership of this class was therefore not sufficient to cross the threshold of a non-trivial contravention – a threshold which Mr Lloyd had accepted existed. Whilst this issue was particular to the facts of the particular data breach and the way in which the class represented by Mr Lloyd had been identified, it nevertheless indicates another issue that those who wish to pursue data breach class actions will need to consider.
The decision of the Supreme Court in Lloyd v Google is undoubtedly a big blow to data breach class actions in England. Whilst possibilities remain for the revival of such claims – in particular the possibility that the GDPR may be interpreted as requiring compensation in broader circumstances, which is the focus of this article, we think it will be some time before the UK Supreme Court (who will undoubtedly hear any such case) is asked to address an attempt to bring an opt out class action under the GDPR. In circumstances where the UK government has, since the Supreme Court’s decision, indicated that it has no plans to review its decision earlier this year not to introduce a new collective redress mechanism for data breach victims, we think data controllers can feel somewhat reassured.