Guest blog by Claire Stockford, partner and barrister, and Alastair Brown, associate, at Shepherd and Wedderburn
In an eagerly awaited judgment, the High Court handed down its ruling in Richard Lloyd v Google LLC on 8 October 2018.
The claim was for compensation arising from revelations that Google unlawfully collected personal data relating to individuals’ internet usage between 2011 and 2012. Google obtained the data via the Safari web browser on Apple iPhones.
It was alleged that the acquired data allowed Google to categorise consumers within particular groups based on their internet preferences (for example ‘football lovers’ or ‘current affairs enthusiasts’), which were then offered to subscribing advertisers. In 2012, Google paid a civil penalty of $22.5m in the US in relation to this so-called Safari workaround.
The English claim was brought on behalf of several million individuals (together branded as ‘Google You Owe Us’) by Richard Lloyd, a former director of Which?, as the representative claimant for the group. Total damages were estimated to be between £1bn and £3bn, and funding of £15.5m had been secured from litigation funder Therium Capital Management.
The ruling concerned Mr Lloyd’s application for permission to serve the proceedings on Google in the US.
Mr Justice Warby refused permission for two key reasons. Firstly, he held that the claimant had failed to prove that ‘damage’ had been sustained by the purported class of claimants and this was essential for a successful compensation claim following a breach of data protection legislation.
Secondly, the judge confirmed that a representative claim would only be permitted where each member of the claimant group had the ‘same interest’ in the claim.
In Lloyd, the judge concluded that this requirement was not satisfied since “the nature and extent of the breach and the impact it had on individual class members will have varied greatly”.
In essence, the judge held that not every person within the claimant group would have suffered harm which calls for compensation. Although some individuals would be distressed by the revelations, others would not. As the judge put it: “Some people enjoy a surprise party.”
Describing the judgment as “an analogue decision in a digital age”, Mr Lloyd has called for legislation to permit groups of consumers to seek redress from large tech companies where personal data is mishandled.
However, in the absence of such legislation, where does this leave future large-scale class actions that rely on third-party funding to get off the ground?
On the one hand, it seems clear that there is a degree of reluctance to permit group litigation which will not materially benefit consumers.
Warby J concluded that the “main beneficiaries of any award at the end of this litigation would be the funders and the lawyers, by a considerable margin”.
Careful consideration is therefore needed at an early stage to ensure that any claim is structured in such a way that the main beneficiaries are the members of the claimant group and not third parties.
That being said, it is hard to ignore the increased possibilities of group litigation in the context of corporate data breaches, particularly following the implementation of GDPR earlier this year.
On a positive note, the Lloyd decision serves as a useful analysis of the pitfalls in bringing a representative action; potential group litigants and their advisers will no doubt take note of the pitfalls to avoid. In particular, claimants should bear in mind the need for strong evidence of the damage sustained as a result of the data breach in question.
Finally, it remains to be seen if this is the last word in the Lloyd case – Mr Lloyd has already indicated his intention to seek permission to appeal the decision. Lawyers and tech giants alike will watch with interest.