Searching for a Remedy in Data Litigation: Lloyd v Google at the UK Supreme Court


Data litigation on the rise

Data may be the most important commodity of the 21st century, and so it is probably inevitable that litigation surrounding data, who it belongs to, and what can be done with it, is starting to proliferate. In the UK, the Supreme Court handed down judgment in Lloyd v. Google, a case that is important not just for what it says about data claims and data protection, but also for collective actions in England and Wales. It is also part of a busy litigation period for Google because, as noted here the internet giant has recently faced decisions from both the European General Court on competition law and the UK Supreme Court on data protection.

Richard Lloyd, with support from a litigation funder, brought a claim against Google alleging breach of its duties as a data controller under the Data Protection Act 1998 (the “DPA 1998”). The claim related to Google’s “DoubleClick Ad cookie” and alleged that Google had secretly tracked the internet activity of iPhone users for several months in 2011-2012, and used the data collected for commercial purposes without the users’ knowledge or consent.

This case concerned more than 4 million people as Mr Lloyd brought the claim as a representative action on behalf of everyone resident in England and Wales who owned an iPhone at the time and whose data was obtained by Google without their consent. He sought damages based on a “uniform sum” for each person (advanced as £750 in the letter of claim) for the infringement of their data privacy rights.


This action had stalled somewhat over the issue of permission to serve proceedings on Google outside of the jurisdiction. The US company contested the application on the basis that the claim had no real prospect of success because damages could not be awarded under the DPA 1998 for loss of control of data alone without proof that financial damage or distress had been caused and the claim was not suitable to proceed as representative action. After Google was successful at first instance and the Court of Appeal overturned that judgment, the UK’s highest court considered both questions. In a unanimous judgment, the Supreme Court rejected the application for permission to serve out of the jurisdiction and effectively brought the claim to an end.

Representative Actions Considered

The Supreme Court reviewed the history of the representative action as “a procedure of very long standing” in England and Wales whereby a claim can be brought by (or against) one or more persons as representatives of others who have the “same interest” in the claim. However, the representative action has proved to be a tricky basis for large claimant groups, particularly with regard to the need to show that all the members of the group have the “same interest” in the claim. Some may have hoped that the Supreme Court would sanction a wider and more permissive interpretation of the representative action which would effectively allow for an opt out class actions, but that was not to be.

While the Supreme Court judgment may go some way towards clarifying the mechanism, the purported floodgates are going to remain shut for now and the Court highlighted three particular points of interest.

First, the Supreme Court was clear that the compensatory principle still applies. Damages for a civil wrong are awarded with the object of putting the claimant as an individual in the same position as if the wrong had not occurred. That requires an individualised assessment of damages. That compensatory principle may have been altered for collective proceedings in competition law (as noted in Merricks v Mastercard) whereby it is sufficient to show that the loss has been suffered by the class as a whole. However, it was still a feature of other group actions under English law, such as Group Litigation Orders and representative actions.

Second, the Court provided some commentary on the potential for a bifurcated process whereby issues common to the whole class of claimants can be decided in a representative claim before moving on to an individual damages phase. The Court saw that there may be advantages in deciding common issues of fact or law through a representative claim. However, damages could only be claimed if the entitlement can be calculated on the same basis for all members of the claimant class and they have all suffered the same loss (such as where they were all wrongly charged a fixed fee). Otherwise, the representative claim could only be the first stage as the compensatory principle necessitates an individualised assessment of damages that cannot fairly or effectively be carried out without the participation of the individuals concerned.

Third, the Court also stressed the flexibility of the representative action. The “same interest” needs to be interpreted purposively and pragmatically. This does not mean each claimant must have an identical claim, but rather their claims should not prejudice the position of others. The purpose behind the same interest requirement is to make sure that the representative will conduct the litigation in a way which promotes and protects the interests of the whole class because they will be aligned. However, in the modern context,

“the reality is that proceedings brought to seek collective redress are not normally conducted and controlled by the nominated representative, but rather are typically driven and funded by lawyers or commercial litigation funders.”

In these circumstances,

“there is no reason why a representative party cannot properly represent the interests of all members of the class, provided there is no true conflict of interest between them.”

Judges also have flexibility on requirements to notify members of a class, to establish procedures for opting out if that is desirable, and for orders against third parties to pay adverse costs.

There must be damage and it must be individually assessed

Due to the difficulties in asserting individualised circumstances in a representative action, the Claimant had tried to claim damages based solely on loss of control (rather than specific material damage) and based on a uniform “lowest common denominator” of quantum. Both were rejected.

The Supreme Court was clear that “loss of control” was not, in and of itself, a head of loss under s. 13(1) of the DPA 1998. On the wording of the DPA 1998, a claimant was only entitled to damages where material damage or mental distress was suffered as a consequence of a breach of duty. Loss of control of the data alone was not enough.

Angry ball

It might have been different if there had been claim in tort for misuse of private information where there can be damages for intrusion into a person’s privacy independently of any damage or distress caused. The Supreme Court noted that English common law recognises a person’s freedom to choose and the right to control whether and when others have access to their private affairs. However, to establish liability for misuse of private information (or other wrongful invasion of privacy), it is necessary to show that there was a reasonable expectation of privacy in the relevant matter. That would again require an individual assessment of whether a claimant could establish a reasonable expectation of privacy. While drawing a distinction between the tort and the statutory claim at hand, the Supreme Court found that Mr Lloyd was seeking to claim a form of damages for each claimant class member which depended on a violation of privacy, while avoiding the need to show a violation of privacy for any individual class member.

Having said all that, the Court did offer the potential that a claim could have been made using the bifurcated process noted above. The Court could see no objection to a representative claim to establish whether Google was in breach of the DPA 1998 and seeking a declaration that any member of the represented class who had suffered damage as a result was entitled to be paid compensation. However, that would not generate a financial return in the first instance, and it would not be economic to pursue separate damages claims on behalf of those who opted into the second stage.

In short, the Supreme Court decided that damage was required for the alleged data protection breaches under the DPA 1998, and that damage would have to be individually assessed. However, even if proof of individual damage or distress were not required, an individual would still need to establish the extent of any unlawful data processing to claim damages. Mr Lloyd argued for a “uniform sum” of damages for each person, but the Supreme Court said that such “user damages” were to compensate for interference with a right to control the use of a commercially viable asset. The starting point would be to calculate the extent of the wrongful use and then estimate what could reasonably have been charged on an individual basis. While it could be possible to allow a representative claim for only a part of the compensation that could be claimed by any given person, without taking individual circumstances into account the facts alleged were insufficient to establish that any individual member of the class was entitled to damages.

The Future

Although this claim failed, it is worth noting that the Supreme Court accepted the commercial value of personal data. It could not be doubted that:

“information about a person’s internet browsing history is a commercially valuable asset.”

The Court also sketched out ways of estimating the extent of any unlawful use of this asset. These included the duration of time for which the data was unlawfully processed, the quantity of data unlawfully processed, whether sensitive or private data was processed, and what use was made of the data. However, as the Court was examining an application for permission to serve out, rather than a fully pleaded case on the merits, other substantive aspects of the case were not examined in detail. Similarly, the case related to the pre-GDPR law rather than current legislation. Future cases will have to delve into some of the details of breaches of current data legislation and how damages should be assessed.

While the result may impact the prospects for similar data breach claims, the Supreme Court did leave the door open for bifurcated proceedings with representative actions to establish liability on a group level, followed by individual claims for damages. The Court acknowledged it may not be economically viable to run such proceedings for claims which are individually relatively small, but it remains to be seen whether there will be some way to make this procedure work.

In the meantime, claimants are likely to continue with “opt in” group actions outside of the sphere of competition litigation. The Supreme Court acknowledged the limitations of these proceedings (such as low participation rates or the administrative costs of assembling such groups), but it looks like “opt in” actions will be the focus of group litigation in the near future. Deminor has experience of navigating “opt in” group actions in other jurisdictions and has found that using modern technology (like a client-facing data platform) can assist in running efficient, funded group litigation. While modern technology can create problems for people in relation to data protection, it can also provide solutions to assist them in vindicating their rights and accessing the funding to do so.




Your success is our success:

We are only paid when we win or settle your case.

Deminor handles all litigation costs and receives a percentage of the losses recovered.

Find out more


success rate

Get in touch with one of our experts.

We’ll give you a quick first assessment of your claim.