Lloyd v Google LLC

JurisdictionEngland & Wales
JudgeLord Leggatt,Lord Reed,Lady Arden,Lord Sales,Lord Burrows
Judgment Date10 November 2021
Neutral Citation[2021] UKSC 50
CourtSupreme Court
Year2021
Lloyd
(Respondent)
and
Google LLC
(Appellant)

[2021] UKSC 50

before

Lord Reed, President

Lady Arden

Lord Sales

Lord Leggatt

Lord Burrows

Supreme Court

Michaelmas Term

On appeal from: [2019] EWCA Civ 1599

Appellant

Antony White QC

Edward Craven

(Instructed by Pinsent Masons LLP (London))

Respondent

Hugh Tomlinson QC

Oliver Campbell QC

Victoria Wakefield QC

(Instructed by Milberg London LLP)

1st Intervener (Information Commissioner)

Gerry Facenna QC

Nikolaus Grubeck

(Instructed by Information Commissioner's Office)

2nd Intervener (Open Rights Group) (written submissions only)

Robert Palmer QC

Julianne Kerr Morrison

(Instructed by AWO)

3rd Intervener (Association of the British Pharmaceutical Industry and Association of British HealthTech Industries (ABPI and ABHI)) (written submissions only)

Lord Anderson of Ipswich KBE QC

Robin Hopkins

Rupert Paines

(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))

4th Intervener (Liberty, Coram Children's Legal Centre and Inclusion London) (written submissions only)

Dan Squires QC

Aidan Wills

Tim James-Matthews

(Instructed by Liberty, Coram Children's Legal Centre and Deighton Pierce Glynn)

5th Intervener (Internet Association) (written submissions only)

Christopher Knight

(Instructed by Linklaters LLP (London))

6th Intervener (TECHUK Ltd (trading as techUK)) (written submissions only)

Catrin Evans QC

Ian Helme

(Instructed by RPC LLP (London))

Heard on 28 and 29 April 2021

Lord Leggatt

( with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows agree)

A. INTRODUCTION
1

Mr Richard Lloyd — with financial backing from Therium Litigation Funding IC, a commercial litigation funder — has issued a claim against Google LLC, alleging breach of its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012, Google secretly tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users' knowledge or consent.

2

The factual allegation is not new. In August 2012, Google agreed to pay a civil penalty of US$22.5m to settle charges brought by the United States Federal Trade Commission based upon the allegation. In November 2013, Google agreed to pay US$17m to settle consumer-based actions brought against it in the United States. In England and Wales, three individuals sued Google in June 2013 making the same allegation and claiming compensation under the DPA 1998 and at common law for misuse of private information: see Vidal-Hall v Google Inc (Information Comr intervening) [2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over jurisdiction, their claims were settled before Google had served a defence. What is new about the present action is that Mr Lloyd is not just claiming damages in his own right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident in England and Wales who owned an Apple iPhone at the relevant time and whose data were obtained by Google without their consent, and to be entitled to recover damages on behalf of all these people. It is estimated that they number more than 4m.

3

Class actions, in which a single person is permitted to bring a claim and obtain redress on behalf of a class of people who have been affected in a similar way by alleged wrongdoing, have long been possible in the United States and, more recently, in Canada and Australia. Whether legislation to establish a class action regime should be enacted in the UK has been much discussed. In 2009, the Government rejected a recommendation from the Civil Justice Council to introduce a generic class action regime applicable to all types of claim, preferring a “sector based approach”. This was for two reasons:

“Firstly, there are potential structural differences between the sectors which will require different consideration. … Secondly, it will be necessary to undertake a full assessment of the likely economic and other impacts before implementing any reform.”

See the Government's Response to the Civil Justice Council's Report: “Improving Access to Justice through Collective Actions” (2008), paras 12–13.

4

Since then, the only sector for which such a regime has so far been enacted is that of competition law. Parliament has not legislated to establish a class action regime in the field of data protection.

5

Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in this case described as “an unusual and innovative use of the representative procedure” in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747, para 7. This is a procedure of very long standing in England and Wales whereby a claim can be brought by (or against) one or more persons as representatives of others who have “the same interest” in the claim. Mr Lloyd accepts that he could not use this procedure to claim compensation on behalf of other iPhone users if the compensation recoverable by each user would have to be individually assessed. But he contends that such individual assessment is unnecessary. He argues that, as a matter of law, compensation can be awarded under the DPA 1998 for “loss of control” of personal data without the need to prove that the claimant suffered any financial loss or mental distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of damages can properly be awarded in relation to each person whose data protection rights have been infringed without the need to investigate any circumstances particular to their individual case. The amount of damages recoverable per person would be a matter for argument, but a figure of £750 was advanced in a letter of claim. Multiplied by the number of people whom Mr Lloyd claims to represent, this would produce an award of damages of the order of £3 billion.

6

Because Google is a Delaware corporation, the claimant needs the court's permission to serve the claim form on Google outside the jurisdiction. The application for permission has been contested by Google on the grounds that the claim has no real prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss of control” of data without proof that it caused financial damage or distress; and (2) the claim in any event is not suitable to proceed as a representative action. In the High Court Warby J decided both issues in Google's favour and therefore refused permission to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265. The Court of Appeal reversed that decision, for reasons given in a judgment of the Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed: [2019] EWCA Civ 1599; [2020] QB 747.

7

On this further appeal, because of the potential ramifications of the issues raised, as well as hearing the claimant and Google, the court has received written and oral submissions from the Information Commissioner and written submissions from five further interested parties.

8

In this judgment I will first summarise the facts alleged and the relevant legal framework for data protection before considering the different methods currently available in English procedural law for claiming collective redress and, in particular, the representative procedure which the claimant is seeking to use. Whether that procedure is capable of being used in this case critically depends, as the claimant accepts, on whether compensation for the alleged breaches of data protection law would need to be individually assessed. I will then consider the claimant's arguments that individual assessment is unnecessary. For the reasons given in detail below, those arguments cannot in my view withstand scrutiny. In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result. The claimant's attempt to recover compensation under the Act without proving either matter in any individual case is therefore doomed to fail.

B. FACTUAL BACKGROUND
9

The relevant events took place between 9 August 2011 and 15 February 2012 and involved the alleged use by Google of what has been called the “Safari workaround” to bypass privacy settings on Apple iPhones.

10

Safari is an internet browser developed by Apple and installed on its iPhones. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block third party cookies. A “cookie” is a small block of data that is placed on a device when the user visits a website. A “third party cookie” is a cookie placed on the device not by the website visited by the user but by a third party whose content is included on that website. Third party cookies are often used to gather information about internet use, and in particular web pages visited over time, to enable the delivery to the user of advertisements tailored to interests inferred from the user's browsing history.

11

Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a third party cookie. It would be placed on a device if the user visited a website that included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what advertisements were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified.

12

Although the default...

To continue reading

Request your trial
39 cases
  • Andrew Prismall v Google UK Ltd
    • United Kingdom
    • King's Bench Division
    • 19 May 2023
    ...approach is permissible in principle (which was not accepted) it does not avail the Representative Claimant. As in Lloyd v Google LLC [2022] AC 1217 (“ Lloyd”), the Representative Claimant is unable to circumvent the requirement for individualised assessment by relying on the lowest common ......
  • Isma Ali v The Chief Constable of Bedfordshire Police
    • United Kingdom
    • King's Bench Division
    • 25 April 2023
    ...claim under the GDPR separate from the claims for misuse of private information and breach of confidence. The claim under the GDPR 46 In Lloyd v Google [2021] UKSC 50, [2022] 1 WLR 1217, at [138], Lord Leggatt (with whom the other members of the Court agreed) held that there is no right, w......
  • Donatas Labeikis and Others v The Commissioners for HM Revenue & Customs
    • United Kingdom
    • Queen's Bench Division
    • 19 November 2021
    ...think that it adds much, if anything, to his other submissions. 121 Mr Kamal has also drawn my attention to the very recent decision of Lloyd v Google [2021] UKSC 50, where in representative action litigation, at paragraphs 80 to 83 in the Supreme Court, contemplated that one could have a ......
  • TVZ v Manchester City Football Club Ltd
    • United Kingdom
    • Queen's Bench Division
    • 10 January 2022
    ...Ltd [2015] EWHC 1482 (Ch) [2016] FSR 12 per Mann J at [144] and [2015] EWCA Civ 1291 [2017] QB 149 per Arden LJ at [45]–[46], and Lloyd v Google LLC [2021] UKSC 50 [2021] 3 WLR 1268 per Lord Leggatt JSC at [104]–[105]. It is not easy to see why the law should afford less protection to ......
  • Request a trial to view additional results
39 firm's commentaries
6 books & journal articles
  • Table of cases
    • Canada
    • Irwin Books The Law of Equitable Remedies - Third edition
    • 18 November 2023
    ...164, 165–66 Liu v Hamptons Golf Course Ltd, 2017 ABCA 303 ......................................71, 291 Lloyd v Google LLC, [2021] UKSC 50 ............................................................... 645 LM v DB, 2020 NSSC 189 ...................................................................
  • Data Matters: Data Protection Issues
    • Ireland
    • Irish Judicial Studies Journal No. 2-22, July 2022
    • 1 July 2022
    ...1 June 2022. 27 GDPR Hub, ‘RvS - 201905087/1/A2’ (15 September 2020) Accessed 1 June 2022. 28 [2013] EWCA Civ 333. 29 ibid [36]. 30 [2021] UKSC 50. [2022] Irish Judicial Studies Journal Vol 6(2) 53 IRISH JUDICIAL STUDIES JOURNAL 53 ‘a situation arises whereby any modest damages award is onl......
  • Equitable Damages
    • Canada
    • Irwin Books The Law of Equitable Remedies - Third edition
    • 18 November 2023
    ...Another ” (2019) 82 Modern Law Review 367. 108 However, this argument has been rejected by the UK Supreme Court in Lloyd v Google LLC , [2021] UKSC 50 at paras 131 and 159. 109 One Step , above note 9 at para 109. THE LAW OF EQUITABLE REMEDIES 646 infringement of property by trespass or con......
  • Confidential Information and Data Protection
    • Singapore
    • Singapore Academy of Law Annual Review No. 2021, December 2021
    • 1 December 2021
    ...EWCA Civ 1599, which was relied upon by Reed on this point, has now been overturned by the UK Supreme Court: see Lloyd v Google LLC [2021] UKSC 50. 91 Alex Bellingham v Michael Reed [2021] SGHC 125 at [76] 92 Alex Bellingham v Michael Reed [2021] SGHC 125 at [53]. 93 Alex Bellingham v Micha......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT