High Court opts-out of US style group litigation for data breaches
Lloyd v Google [08.10.18]
We live in a landscape where a rapidly increasing number of organisations collect and process personal data on an immense scale. Systemic failures or successful cyber attacks can easily lead to data breaches that affect a large number of individuals, all of whom are potential claimants.
In the build up to May 2018, there were prevailing concerns that the implementation of the GDPR would encourage large-scale opt-out class action litigation arising from data breaches, similar to those seen in the US since the revision of the US Federal Rules of Civil Procedure in 1966. Opt-out actions occur when a representative brings a claim on behalf of an undefined set of individuals who are purported to share a common interest. This is opposed to opt-in actions where each individual must register to be part of the action.
The concern of an increase in opt-out actions has been in part due to the rights GDPR enshrined for data subjects, such as the right for both individuals and groups to claim compensation for non-pecuniary damage such as inconvenience or distress.
However, the High Court has recently handed down a decision in Lloyd v Google [08.10.18] indicating that bringing an opt-out data breach group litigation claim in the UK may not be as easy as previously feared.
Mr Richard Lloyd (the former editor of Which? magazine) alleged that Google had breached their duty as a data controller under the now superseded Data Protection Act 1998 by using a method referred to as the “Safari Workaround”: tracking the internet activity of Apple iPhone users without their knowledge, collating and using the information it had acquired, and then selling the accumulated data.
Mr Lloyd brought an action against Google in a representative capacity on behalf of a class of affected iPhone users (estimated to number 4.4 million). The claim was therefore brought on an opt-out basis. Crucially, no financial loss or distress was alleged, rather the claim was purely for unquantified compensation based on a standard tariff (which the court envisaged would be merely a few hundred pounds) for each individual.
The court dismissed the claim. Firstly, for a claim for compensation to be successful, there needed to be evidence of damage suffered. Mr Lloyd had not alleged that he or any member of his class had suffered financial loss or distress as a result of the Safari Workaround.
Secondly, the court did not consider that Mr Lloyd had met the requirements of a representative action as all the members of the class did not have exactly the “same interest” in the claim. The court also considered how members of such a large class could be reliably determined and highlighted the disinterest of the individuals in the class in respect of the claim.
The court’s decision is a welcome one for the large number of organisations acting as data controllers in the UK. The judgment emphasises that in order for a compensation claim to succeed, claimants need to evidence that they have suffered damage. If bringing a representative action, this damage must be the same for each member of the class.
In recent months, we have seen large scale data breaches for British Airways and Marriott hotels. For Marriott, barely hours after the details of the breach hit the press, a national opt-out class action law suit was filed in the US.
However, in the UK, this decision indicates that the courts will not look favourably upon representative actions brought on behalf of a large body of individuals who have no knowledge of, or interest in the claim. Undoubtedly, this decision will force claimants and their representatives to think more carefully before launching representative actions. Law firms representing UK group litigation actions, such as the potential claim against British Airways have their work cut out to get each claimant to both opt-in and demonstrate their loss, unless the decision in Lloyd is successfully appealed in the Court of Appeal.