Lord Justice Leggatt’s judgment
Claiming damages in representative actions
The judgment of the Supreme Court was given by Lord Justice Leggatt, with whom the other four judges all agreed. The judgment includes a comprehensive survey of the case law on representative actions going back over 150 years. It is likely to be regarded as the leading case on representative actions and will be scrutinised by those interested in bringing such claims outside the data protection context.
Lord Leggatt considered the viability of the claim as a representative action in the context of this survey of the cases. Most significantly in this context, he stressed that the potential for claiming damages in a representative action is limited by the nature of the remedy of damages at common law.
In English law, damages “are awarded with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred”, Lord Leggatt said.
Though the judge said it was possible for a representative action to include a claim for damages where the represented class members had all suffered the same loss, for example if they had all been overcharged the same sum, or they had all been sold a defective product which was worth equally less in each instance due to the nature of defect, he considered that these scenarios are somewhat exceptional. He said that in most cases there will need to be an individualised assessment of what has happened to each individual class member and that a representative action is an unsuitable vehicle for this because individual class members do not participate in the action.
Lord Leggatt suggested that the claim could in theory have been advanced by way of a bifurcated process, i.e. in two stages.
The first of these stages would have involved Lloyd seeking a declaration that class members are entitled to damages, without seeking a payment of damages in this first stage. This would not have offended the principles outlined because the court would not have been required to assess damages on an individualised basis.
The second stage would involve individuals then seeking a damages award separately, on the basis of their own circumstances. Lord Leggatt speculated that although this would work in theory, it may be unattractive to the claimant side in practice because the first stage would not generate any return for the funders or those represented.
Damages for “loss of control”
Lord Leggatt went on to consider Lloyd’s attempts to get around the difficulties of needing to show each class member’s individualised circumstances.
A crucial element of Lloyd’s attempt to bring his claim within the representative action procedure was the contention that a non-trivial breach of any data subject’s rights gives rise to an entitlement to compensation for “loss of control” of personal data. This argument was founded on the Court of Appeal’s judgment in the case of Gulati v MGN, which concerned systematic phone hacking by journalists from the Mirror Group.
Gulati was a case framed in the tort of misuse of private information, rather than under data protection legislation. In that case the Court of Appeal found that the claimants were entitled to damages for loss of control over their privacy rights, or loss of autonomy, and awarded substantial damages. Lloyd argued that because the tort of misuse of private information and data protection legislation are both rooted in the same fundamental right to privacy, the same approach to damages should be adopted for both causes of action.
Lord Leggatt rejected the approach contended for by Lloyd. He found that the proposed approach was fundamentally inconsistent with the wording of Section 13 of the Data Protection Act 1998, the legislation applicable at the time relevant to his claim.
Section 13(1) states: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.
Section 13(2) states: “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if: (a) the individual also suffers damage by reason of the contravention…”
Two compelling points arise from the statutory language. The first is that the damage in respect of which the data subject seeks to recover must be suffered by reason of a contravention by the data controller. This plainly separates the notion of the breach, i.e. the “contravention”, and the damage resulting from it. Accordingly, conflating the two is incompatible with the statutory language.
The second point is that section 13(2) refers to two types of consequences of a breach by a data controller, namely damage and distress. On the original statutory wording, the latter was only recoverable in the event that the former could also be established. Lord Leggatt therefore held that the reference to damage in section 13(2), and by extension also 13(1), must logically mean something more serious than distress and must mean material damage such as financial loss. It followed that the statutory wording did not contemplate an entitlement to compensation for something less serious than distress, which a loss of control might be.
Lord Leggatt noted that section 13(2) has been disapplied since the Court of Appeal’s judgment in the case of Vidal Hall v Google, in which the court determined that it was inconsistent with the overarching EU directive from which it had derived. However, this does not affect the correctness of his judgment.
Lord Leggatt further held that the idea that misuse of private information and breaches of data protection legislation must have coterminous remedies since the rights in question are of common origin did not bear scrutiny. The tort of misuse of private information protects information which is established to be private in nature. In contrast, much personal data has no particular private character. In addition, Lord Leggatt’s judgment makes clear that the misuse of private information is a tort involving strict liability for deliberate acts, not a tort based on “want of care” or negligence. Accordingly, to provide the same remedies for both causes of action is not necessary or desirable.
Lowest common denominator
Lord Leggatt identified other fundamental problems with Lloyd’s approach. Most significant amongst these was Lloyd’s contention that he should be required to prove only that a person met the criteria to be member of the represented class, and that all such persons should be treated as having suffered damage on a “lowest common denominator” basis.
In rejecting Lloyd’s construct, he said: “I cannot see that the facts which the claimant aims to prove [i.e. mere membership of the class] in each individual case are sufficient to surmount [the de minimis] threshold. If (contrary to the conclusion I have reached) those facts disclose ‘damage’ within the meaning of section 13 at all, I think it impossible to characterise such damage as more than trivial. What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed. Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.”
For similar reasons, Lord Leggatt rejected Lloyd’s argument in relation to user damages, i.e. the idea that an award should be made to each class member based on a notional release fee in which they would have been prepared to allow Google to serve the DoubleClick cookie. Without an enquiry into who was affected and to what extent, this approach was also flawed.
What next?
Claimant lawyers and litigation funders, including those backing other representative actions which are currently paused, will no doubt pore over the judgment to try to identify whether representative actions in the data space could be viable notwithstanding the Supreme Court’s approach.
Lord Leggatt makes clear that his analysis relates to the position under the Data Protection Act 1998 and not the UK GDPR which, together with the Data Protection 2018, has superseded the 1998 Act.
Article 82(1) of the GDPR provides that a person who has suffered “material or non-material damage as a result of an infringement of this Regulation” should have the right to receive compensation for the damage suffered. In addition, Recital 85 states that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”.
Two points arise from this wording. First, the language of the GDPR is similar to that of the 1998 Act in that it distinguishes between the act giving rise to the damage and the damage itself. The GDPR refers to the “infringement” rather than the “contravention”, but nothing turns on this. Secondly, although Recital 85 refers to loss of control, it does not contemplate that all infringements will give rise to a loss of control. The differences between the two regimes do not therefore appear to offer significant scope for distinguishing any new claims brought under the GDPR from the precedent now set by Lloyd v Google.
In any event, Lord Leggatt found that even if damages were available for loss of control, it would still be necessary to establish the extent of the unlawful processing in the case of each individual data subject, and this would render a representative action unviable. It is not clear, therefore, that a different approach to damages under UK GDPR would have any practical effect.
Similar difficulties are likely to arise if a representative claimant seeks to pursue their claim in misuse of private information, where the Gulati judgment established that a claim for loss of control damages is available. First, as Lord Leggatt points out, establishing a claim in misuse of private information may be more difficult given the requirements of the tort: the information in question must be private and the misuse must arise from a deliberate act, not merely a want of care. Further, these requirements and the extent of the breach would need to be established for each and every class member.
Following on from the High Court decision in Warren v Dixons earlier this year, the Supreme Court’s decision in Lloyd confirms that there are distinct differences between data protection and misuse of private information as causes of action, and identifies further challenges for claimants seeking to rely on misuse of private information in a data processing context.
The Supreme Court’s decision brings the position firmly into line with the outcome of the UK government consultation conducted last winter on the possibility of introducing a bespoke procedure for opt-out class actions in the data protection space.
In its report on that consultation, the Department of Culture, Media and Sport said in February 2021 that the case for introducing an opt-out procedure into law was not strong enough: “There is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system.”
Finally, Lord Leggatt’s comments on the availability of damages for loss of control may also lead to a more general dampening of the claims market in this space, with a greater emphasis on the requirement for data subjects to show material damage or distress on an individualised basis.
David Barker led the Pinsent Masons team which acted for Google in this case.
Credit: Source link
