Lloyd v Google: The business view on data protection class action

22 Apr 2021 01:41 PM

Lloyd v Google: The business view on data protection class action

Data is at the heart of today’s business operations in sectors from logistics to financial services, and is increasingly raw material behind the research and innovation that will enable tomorrow’s products and services. Technologies powered by data will help to tackle some of the biggest issues our societies face, from climate change to COVID-19.

Against this backdrop, data protection is a complex and fast-changing field, which encompasses a multitude of actors, technical legislation, and case law that is developing fast. As the role of data-driven digital technology grows, businesses and people must have confidence in a UK ecosystem that effectively upholds and enforces people’s data rights.

This statement sets out the CBI’s view on ‘opt-out’ representative action with regards to data protection law. The Lloyd v Google case is exploring whether such action can be brought under the code governing civil court cases, the Civil Procedure Rules (CPR 19.6). As we stated in our response to government’s Review of Representative Action Provisions under the Data Protection Act 2018 (DPA 2018), businesses across the economy believe that departure from UK precedent to allow US-style class action is likely to harm consumers and firms. It is unlikely to improve access to justice for most individuals, while having a potentially chilling impact on the UK’s ambitions to be a leading science and innovation nation in the 21st century.

Context

Industry recognises the importance of people engaging with their data rights, with a number of routes available to bring data protection-related complaints under the current regime.

Businesses understand the importance of individuals’ understanding and enforcement of their data rights. Industry compliance with GDPR plays a vital role in ensuring timely and effective enforcement of data subject rights.

The current framework in the UK provides numerous routes for data protection related complaints, in particular:

Government recently recognised the strong protection that the current regime provides for individuals with its decision not to introduce opt-out provisions for alleged data law infringements under the DPA 2018.

As highlighted above, opt-in representative action is possible under the DPA 2018. The UK government’s recent Review of Representative Action Provisions explored how the current regime is working, including the merits of introducing new DPA 2018 provisions to permit non-profit organisations to undertake opt-out representative action, on behalf of individuals without their specific authorisation.

DCMS received around 350 responses to the call for views from a broad range of civil society and industry organisations, including the CBI. On balance, government decided that there was not enough evidence to support the introduction of a statutory mechanism for opt-out representative action, stating in its response that:

The current regime already offers strong protection for individuals … and routes for redress. In the government’s view, there is insufficient evidence of systematic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system.

Lloyd v Google is the latest development in group litigation, exploring whether US-style opt-out claims under CPR 19.6 can be brought regarding data breaches.

In 2018, under CPR 19.6, Richard Lloyd launched an opt-out class action lawsuit against Google on behalf of over four million people, for perceived breaches of data protection law. The High Court’s decision to dismiss the claim was reversed by the Court of Appeal, which made two key findings.

First, the Court of Appeal ruled that data subjects could recover damages for ‘loss of control’ of their data. Prior law permitted data subjects to recover damages both for financial losses and for distress, but the ruling that ‘loss of control’ of data in and of itself sounded in damages was an entirely new finding. Second, in relation to ‘loss of control’ damages, the class members in Lloyd v Google have the ‘same interest’, which is the test that must be met to bring representative action class actions pursuant to CPR 19.6. On this basis, the claim was permitted to proceed as a class action on behalf of in excess of four million persons.

The case will now be heard in the Supreme Court. Its outcome will have significant ramifications across the economy, for businesses and public sector bodies, individuals and the courts. Prompted by the Court of Appeal’s decision, claimant law firms have already filed large data protection class actions against a number of businesses in the tech, retail, and hospitality sectors, with class sizes in the multi-millions. These are simply the early cases, with many more likely to follow if the procedure is firmly established.

Impact of opt-out provisions

Opt-out representative action provisions could be highly detrimental to organisations (including businesses across sectors and public bodies), customers, the ICO, and the courts.

In our submission to the Review of Representative Action Provisions, the CBI argued against the introduction of opt-out class action provisions as a radical departure from UK precedent that would likely lead to a rapid and costly acceleration in claims, including meritless ones.

Businesses are concerned that the growing number of litigation funders and claimant law firms in this space is already leading to a greater focus on monetisation for funders’ benefit rather than seeking justice for individuals. This could impact organisations in sectors across the economy who rely on personal data for developing products and services, including public sector bodies such as central or local government departments.

The impact of opt-out provisions on a range of stakeholders could be:

Next steps

Given its potential implications for UK industry, the CBI continues to monitor this case closely. We believe that opt-out representative action for alleged data protection infringements will harm individuals and organisations across the UK data ecosystem. Given the huge impact they are likely to have, any introduction of class actions should be accompanied by further government policy interventions. As we said in our response to the Review of Representative Action Provisions, detailed rules and significant safeguards would be needed to prevent their vexatious use, for example requiring proof of expertise of organisations bringing claims, notification and opt-out procedures for class members, and claimants’ liability for own-party and adverse costs.

[1] Carlton Fields, Class Action Survey (2020). 

[2] Federal Trade Commission, cited by Reuters, ‘FTC’s comprehensive study finds median consumer class action claims rate is 9%’ (2019, accessed March 2021).