Lloyd v Google LLC

The Supreme Court considered whether a claimant could use the long‑standing representative procedure in CPR r 19.6 to bring a single, commercially funded claim on behalf of some four million Apple iPhone users for alleged breaches of the Data Protection Act 1998 (in particular s 4(4) and s 13) arising from Google’s alleged use of the "Safari workaround" to place DoubleClick advertising cookies. The court examined the scope of the representative rule, compared it with group and collective procedures, and analysed whether compensation under s 13 of the DPA 1998 can be awarded without proof of material damage or distress.

The court held that section 13 requires proof of damage (understood as material damage) and that distress is compensable only in the limited circumstances set out in s 13(2) (as previously adjusted in Vidal‑Hall by disapplication of s 13(2) on EU law grounds). The panel rejected the claimant’s argument that "loss of control" over data is a freestanding head of recoverable damage under s 13 payable without individualised proof, and rejected the contention that user damages or a uniform per capita award could be made on the basis of membership of the defined class alone. The claim as pleaded therefore had no real prospect of success and was unsuitable for disposition as a CPR r 19.6 representative action without individualised proof of unlawful processing and resulting damage.

Background and parties

Mr Richard Lloyd, funded by a commercial litigation funder, brought a claim against Google LLC alleging that in 2011–2012 Google bypassed Apple Safari privacy settings to place DoubleClick advertising cookies on iPhones and thereby processed personal data without consent. Mr Lloyd sought to act as representative claimant under CPR r 19.6 on behalf of all affected residents of England and Wales and to recover damages on a uniform per capita basis. Google resisted permission for service out of the jurisdiction, arguing no real prospect of success and that a representative approach was unsuitable.

Procedural history

• High Court (Warby J): refused permission to serve out (found claimant had no real prospect on the key issues) — [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.
• Court of Appeal: reversed and granted permission, accepting the representative route might be appropriate — [2019] EWCA Civ 1599; [2020] QB 747.
• Supreme Court: allowed Google’s appeal and restored the High Court order refusing permission — [2021] UKSC 50.

Nature of the claim and relief sought

Mr Lloyd relied exclusively on s 13 of the Data Protection Act 1998 to claim compensation for the represented class on a bottom‑up, uniform per capita basis. He advanced two principal legal contentions: (1) that s 13 permits awards for "loss of control" over personal data without proof of material damage or distress; and (2) that a uniform per capita sum could be awarded without individualised proof of the extent of Google’s processing in each case.

Issues framed by the court

1. Whether the representative procedure under CPR r 19.6 could be used in the way proposed.
2. Whether s 13 of the DPA 1998 permits compensation for non‑trivial contraventions without proof of material damage or distress (ie whether "loss of control" is a freestanding head of recoverable damage).
3. Whether user or uniform per capita damages could be awarded without individualised proof of unlawful processing and loss.

Court’s reasoning and conclusion

The court affirmed that the representative procedure is a flexible and long‑standing tool and may be apt to decide common issues, including declarations, and to form the basis for subsequent individual claims. But it emphasised limits deriving from the compensatory nature of damages. On statutory construction and EU law context the court held that s 13(1) is a remedy for damage (material damage) suffered "by reason of" a contravention and that the remedial scheme contemplates that compensation requires proof of damage distinct from the contravention. The Court rejected the claimant’s submission that the principles in Gulati (compensation for misuse of private information including loss of control) should be transposed to s 13 so as to permit awards without proof of material damage or proof of the extent of processing in each individual case. Even if loss of control were conceptually relevant, the pleaded case did not and could not establish unlawful processing in each individual’s case beyond the fact of alleged placement of a cookie once; that minimal common factual basis could not, as a matter of law, support a non‑trivial award for each represented person. The representative claim as advanced had no real prospect of success and permission to serve out was refused.

Wider context: the court noted the limited legislative regime for collective redress in data protection and discussed the distinctions between representative, group and collective (Competition Act) schemes, highlighting that legislative reform would be the appropriate avenue for a generic opt‑out class action regime.

Appeal allowed. The Supreme Court held that the claim as pleaded had no real prospect of success because compensation under section 13 of the Data Protection Act 1998 requires proof of damage (material damage) or other statutory conditions; the court rejected the novel submission that non‑trivial contraventions give rise to compensation for "loss of control" without individualised proof, and concluded that a representative action framed on the pleaded, minimal common facts could not establish entitlement to damages for each represented person. Permission to serve out was therefore refused.

High Court (Warby J) refused permission to serve out: [2018] EWHC 2599 (QB); [2019] 1 WLR 1265. Court of Appeal reversed and granted permission: [2019] EWCA Civ 1599; [2020] QB 747. Supreme Court allowed Google’s appeal and restored the High Court order refusing permission: [2021] UKSC 50.