The Lloyd v. Google claim has given rise to some thought-provoking questions:
- Has Google breached its duties as a data controller? If so, have class members of the ensuing collective action suffered quantifiable damages?
- How exactly should “same interest” be determined in a case regarding the misuse of data?
- Do individual members of a class have to demonstrate material harm in order to receive recompense?
In the following article, we will explore the answers to these and other questions that have arisen from Case UKSC 2019/0213, otherwise known as Lloyd v. Google.
What Exactly Happened?
Richard Lloyd, sought to file a claim against tech giant Google, asking for compensation pursuant to section 13 of the Data Protection Act of 1998. The accusation involves the use of cookies in a ‘Safari workaround’ that ultimately collected, then disseminated, user data into metrics that were then used to employ targeted advertising to users.
This alleged misuse ostensibly impacted over four million iPhone users in England and Wales, whose data was unlawfully accessed by Google. Google’s use of the data was found to be a breach of DPA1998.
Lloyd sued not only on his own behalf, but on behalf of others whose data was treated similarly. Google fought the suit, saying that class members could not demonstrate material harm from the misuse of data. In a case like this one, ‘material harm’ could include monetary losses or mental anguish stemming from the illegal harvesting or dissemination of data.
Lloyd’s claim was backed by Therium, a prominent litigation funder specializing in tech-related cases. Lloyd’s legal team argued that the ‘same interest’ mandate had been satisfied, and that awarding all class members the same sum in damages is reasonable—without a need to delve into the personal circumstances of every individual claimant.
The Decision
Initially, the High Court ruled in favor of Google. When the court of appeal reversed the ruling, Google appealed again to the Supreme Court. In the majority decision, Lord Leggatt determined the following:
- The determination of “damage” must include verifiable, material damages such as financial or mental anguish. Mere illegality of an action is not enough to necessitate financial recompence.
- Damages must be demonstrated.
Why are the Facts Here so Important?
Obviously, there is reason to be concerned when a tech company in control of an extremely large amount of user data is accused of illegally managing that data. In this instance, Google allegedly sold or used user data for commercial/money-making purposes. This was done without the knowledge or consent of its users. One could argue that any user who utilized Google on an Apple iPhone has reason to be dismayed (indeed, a similar case settled before going to trial).
The case also illustrates the importance of opt-in versus opt-out models, as well as what can happen when the majority of class members choose to abstain from involvement in the case proceedings. Under Lord Leggatt’s ruling, an opt-out model is not feasible in any instance requiring that class members be able to show tangible losses. Ultimately, tech giants like Google are required to abide by their own user agreements. However, users must prove suffering beyond the violation of their right to privacy.
Ironically, one area of doubt in such a case arises over how shares of a payout (to litigation funders, for example) can properly be calculated without consent of all class members. Just as many class members in an opt-out proceeding may not know the details of the case, they also may be totally unaware of the claim, or of how any proceeds are to be divided.
What Do These Developments Mean for Litigation Funders and Potential Claimants?
The idea that a claimant must demonstrate damages in order to receive compensation is neither new nor controversial. But it does put a damper on collective actions with high class member counts. Especially when looking at cases against huge companies like Visa/Mastercard, Apple, or Google. Many would argue that it’s simply not feasible to collect information about losses from millions of potential claimants.
So, while this line of thinking is reasonable under English law, it may well discourage litigation funders from taking on cases requiring that all class members demonstrate individual losses. This, in turn, will make the pursuit of justice more difficult for potential members of a wronged class.
For litigation funders, the difference between one potential claimant in a case and the millions who could have been class members in Lloyd v Google is significant. While we know that funders ultimately back cases to increase access to justice and give claimants a day in court—we also know that this relies on investors, whose motivation to invest is profit-driven. In short, litigation finance only works in the long term, when it’s financially advantageous to investors.
The question of privacy rights is a tricky one. Having one’s privacy violated is, as the phrase suggests, a violation. But as it typically has no financial component beyond the negative feelings associated, it is unlikely to serve as a demonstrable loss in a case involving user data (unless, of course, a further demonstrable loss can be proven).
At the same time, it is clear that Google misused user data, intentionally and without consent—with an eye toward financial gain. Surely it makes sense that Google should share some of that income with the users whose data was breached?
Not according to the UK Supreme Court, apparently.
A Missed Opportunity
Had Lloyd vs. Google succeeded in the way Lloyd intended, it could have changed the way class actions in data cases were handled by the courts. Essentially, opt-out class actions could have flourished as individual class members wouldn’t be required to demonstrate financial damages.
This has particular relevance to data cases, because when data companies use information in ways that are not in keeping with their own TOS, users may not be damaged financially. But this lack of demonstrable damages doesn’t necessarily mean a) data companies don’t have a moral obligation to offer users recompense, or b) that users aren’t deserving of a payout when they are wronged.
Had Lloyd’s legal team instead used a bifurcated approach to the proceedings, a smaller opt-in class could perhaps have enabled a stronger case through the gathering of evidence—specifically evidence of damages. Similarly, a Group Litigation Order (GLO), which, despite what some see as high administrative costs, would have better determined eligibility for class members. This, in turn, would have allowed for a better test of the case’s merits.
In Conclusion
Lloyd vs. Google demonstrates the importance of several aspects of class action litigation, including how opt-in versus opt-out impacts the collection, as well as ability to bring evidence of damages. This promises to be a factor in future tech cases—not just in the UK, but globally.
Will the failure to secure damages for those whose data was misused embolden Big Tech? Will it serve as a warning? Could it discourage litigation funders from backing such cases?
We’ll have to wait and see. For now, it’s clear that Lloyd vs. Google has left its mark on the UK legal and litigation funding worlds—and on Big Tech as a whole.