Insights Supreme Court overturns Court of Appeal ruling on class action brought against Google alleging breach of Data Protection Act 1988 against over four million Apple iPhone users


The claimant, Richard Lloyd, applied for permission to serve proceedings on Google LLC, whose principal place of business is in California, for breach of s 4(4) of the Data Protection Act 1988. Mr Lloyd issued the proceedings on behalf of more than four million Apple iPhone users, claiming that between 2011 and 2012 Google had secretly tracked the internet activity of these users, collated and used that information, and then sold the accumulated data (thereby enabling advertisers to target advertisements at users based on their browsing history), using what was referred to as “the Safari Workaround”, without the users’ knowledge or consent.

Google opposed the application on the grounds that: (i) damages could not be awarded under the 1998 Act without proof that a breach of the requirements of the Act had caused an individual to suffer financial damage or distress; and (ii) the claim in any event was not suitable to proceed as a representative action. At first instance, Mr Justice Warby decided both issues in Google’s favour and therefore refused Mr Lloyd permission to serve the proceedings on Google. The Court of Appeal reversed that decision. Google appealed to the Supreme Court.

The question for the Supreme Court was whether Mr Lloyd could bring a claim against Google LLC in a representative capacity seeking compensation under s 13 of the 1988 Act for damage allegedly suffered by a class of Apple iPhone users.

The Supreme Court noted that, except in the field of competition law, Parliament has not enacted legislation providing for class actions in which a single person can claim redress on behalf of a class of people similarly affected by alleged wrongdoing. Mr Lloyd relied, however, on a procedure of very long standing in England and Wales, and now embodied in rule 19.6 of the Civil Procedure Rules, which allows a claim to be brought by (or against) one or more persons as representatives of others who have the “same interest” in the claim. Mr Lloyd argued that the “same interest” requirement was satisfied in this case and that this representative procedure could be used to recover a uniform sum of damages for each person whose data protection rights had been infringed, without having to investigate their individual circumstances.

Giving the lead judgment, with which all the Justices agreed, Lord Leggatt analysed the history and scope of the representative procedure and endorsed the view, found in case law, that it is a “flexible tool of convenience in the administration of justice”. Further, he said, it is even more appropriate now due to the development of digital technologies which have greatly increased the potential for mass harm for which legal redress may be sought.

Lord Leggatt considered that the “same interest” requirement must be interpreted purposively and pragmatically in light of its rationale and the overriding objective of the CPR of dealing with cases justly. It is not a bar to a representative claim that each represented person has in law a separate cause of action nor that the relief claimed consists of or includes damages, he said. Damages might be claimed in a representative action if they could be calculated on a basis common to all persons represented. Alternatively, issues of liability might be decided in a representative action which could then form the basis for individual claims for compensation.

In this case a representative claim could have been brought to establish whether Google was in breach of the 1998 Act as a basis for pursuing individual claims for compensation. However, Mr Lloyd had not proposed such a two–stage procedure, doubtless because the proceedings would not be economic if it was necessary to prove loss on an individual basis. Instead, Mr Lloyd argued that a uniform sum of damages could be awarded to each member of the represented class without the need to prove any facts particular to that individual. In particular, he argued that compensation could be awarded under the 1998 Act for “loss of control” of personal data constituted by any non–trivial contravention by a data controller of any of the requirements of the Act.

Lord Leggatt rejected these arguments and concluded that the claim could not succeed for two reasons. First, the claim was founded solely on s 13 of the 1998 Act, which provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. On the proper interpretation of this section the term “damage” referred to material damage (such as financial loss) or mental distress which is distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself. Secondly, it was on any view necessary, in order to recover compensation under s 13, to prove what unlawful processing by Google of personal data relating to a given individual had occurred.

The attempt to recover damages without proving either of these elements was therefore unsustainable. In these circumstances, the claim could not succeed and permission to serve the proceedings on Google outside the jurisdiction had rightly been refused by Warby J at first instance. The appeal was unanimously allowed, and the order made by Warby J was restored. (Lloyd v Google LLC [2021] UKSC 50 (10 November 2021) — to read the judgment in full, click here).