Prospect of US style opt-out data class actions recedes as UK Supreme Court rejects £3bn Google privacy claim

Pinsent Masons team secures landmark victory for tech giant as claim brought on behalf of four million iPhone users founders
Entrance to the Supreme Court of the United Kingdom in London

lazyllama, Shutterstock

Pinsent Masons has secured a major win for Google, with the UK Supreme Court today rejecting a class action claim brought by former Which? director Richard Lloyd that sought billions of pounds in damages on behalf of millions of people on the basis of privacy harms.

Legal commentators agree that the ruling means that similar group privacy claims are now unlikely to proceed in a move that they said will be welcomed by data controllers.

Lloyd acted as the lead claimant for the class, which was represented by claimant litigation boutique Milberg London backed by third-party litigation funder Therium. 

Lloyd’s team had claimed £750 in damages should be awarded to each of a proposed class of four million Apple iPhone users in England and Wales, arguing that their internet activity was secretly tracked by Google between 2011 and 2012. They claimed the tech giant had then used the data to enable advertisers to target adverts at users based on their browsing history.

But the Supreme Court, in a unanimous ruling, rejected Lloyd’s argument that the loss of control of personal data has an intrinsic value capable of compensation. Instead, Lord Leggatt, giving the judgment of the court, found that each claimant must establish they had personally suffered some form of material damage, such as financial loss or mental distress, resulting from the alleged breach of the Data Protection Act 1998, which was in effect at the time of Google's alleged wrongdoing. It also held that it was necessary to prove what unlawful processing by Google of personal data relating to a certain individual had occurred. 

The case has been described as one of the most significant in recent UK legal history, comparable to last December's Merricks vs Mastercard, in which the Supreme Court gave the green light to a £14bn competiton class action claim against Mastercard.

RPC, whose client techUK was an intervening party in the hearing, said that the rejection of the concept of 'loss of control' damages and the requirement that individuals must prove they have suffered damage ‘means that a representative action is unlikely to be a financially viable option for legal advisers and funders in most cases’.

Pinsents TMT disputes partner David Barker, who led the team acting for Google, added: “Lord Leggatt’s comments on the availability of damages for loss of control may lead to a more general dampening of the claims market in this space.” 

Several other representative actions based on alleged data protection breaches have been on hold pending the Supreme Court’s judgment in this case, including claims against TikTok, Facebook and Marriott Hotels. According to Pinsents, it now seems unlikely that litigation funders will have any appetite to pursue them.   

Lloyd, a veteran consumer rights campaigner, had been pursuing the case against Google in court for several years. The High Court ruled in October 2018 that he couldn’t serve the claim on the Delaware-based tech giant outside the jurisdiction of England and Wales, a decision that was overturned by the Court of Appeal in October 2019.

Google challenged the Court of Appeal’s judgment, leading to a hearing in April 2021 which attracted a large number of interventions. Today's judgment by a panel of five Supreme Court justices effectively blocked the action.

RPC partner and head of IP and tech, David Cran, said the Supreme Court's judgment “will be warmly welcomed by data controllers who following the Court of Appeal's judgment, were exposed to very significant potential liability arising from data claims, even if no specific damage was shown to have been suffered by any individual".

He added that the judgment was “likely to have a very significant impact on UK industry across many different sectors that handle customer data, as well as the UK legal market, including claimant firms, litigation funders and After the Event (ATE) insurers."

The UK has not enacted legislation for class actions outside the field of competition law and Lloyd had brought his claim using a procedural rule for representative actions, CPR19.6, which historically has been used for group litigation orders sought by claimants with the same claim such as tenants seeking to challenge service charges against their landlord.

David Greene, senior partner and head of class action and finance litigation at London firm Edwin Coe, said the profession had been waiting to see if the Supreme Court would open up a new process for class actions based upon a reinterpretation of this old procedural rule.

"This is no doubt a great win for Google and a disappointment not just to Mr Lloyd, but to all those seeking to pursue data breach claims on the same basis," said Coe, speaking on behalf of the London Solicitors Litigation Association. "It does however leave open the possibility of using CPR 19.6 in a similar fashion either for common declaration or where individual damages can be proved. The door is shut in this particular case but left ajar for innovative use of this age-old provision. We watch with interest."

London-based Herbert Smith Freehills disputes partner Julian Copeman added: "While this decision means that the threat of 'US style' opt-out litigation in data claims has receded, group litigation is here to stay and there is nothing in this decision which means that such claims won't continue to be brought as 'opt in' group claims."

Email your news and story ideas to: [email protected]