Much anticipated UK ruling means no open floodgates for 'opt-out' data claims but scope left for two-stage actions
The UK Supreme Court has rejected a high-profile compensation claim against Google that could potentially have opened the floodgates for class actions for loss of control of personal data on behalf of large numbers of individuals without identifying class members. The dispute, which was backed by third-party funders, has been closely watched for its significance on the evolving fields of group consumer actions and data protection law.
In its unanimous judgment issued on 10 November, the Supreme Court overturned a previous Court of Appeal ruling to find that a claim for damages for the unlawful processing of data under the Data Protection Act 1998 (DPA) required proof of damage in the form of either material damage (such as financial loss) or mental distress. Such damage must be distinct from, and caused by, the unlawful processing. It could not be the unlawful processing itself.
In any event, to determine the quantum of any damages, the court would need to consider the extent of the unlawful processing in the individual case, including, for example, the relevant time period and the quantity and nature of the data processed. Without evidence as to individual circumstances, it would be impossible to conclude the damage was more than trivial, and therefore there would be no right to compensation.
For these reasons, the current attempt to bring an action for compensation on behalf of all those whose data was processed, without reliance on any individual circumstances of class members, was doomed to fail.
The lack of reliance on individual circumstances was because of the claimant’s desire to bring the claim using the representative action procedure under CPR 19.6. This allows an action to proceed on an “opt-out” basis, meaning that individual class members do not need to be identified, but those represented must share the “same interest” in the claim. The Supreme Court’s decision shows that it will not be possible to use this procedure to bring a data breach class action under section 13 DPA and obtain damages for the class as a whole on a uniform or tariff basis, without proof of individual circumstances.
Importantly, however, the decision suggests such claims could be brought using a “bifurcated process” in which the representative action procedure is used to determine common issues (such as whether there has been an actionable breach), leaving any individual issues to be dealt with subsequently. That could, in effect, introduce a half-way house between a fully “opt-out” claim and an “opt-in” procedure such as the group litigation order, since individual claimants would (presumably) only have to be identified once the common issues had been determined. (Indeed, the Supreme Court went so far as to comment that the initial “opt-out” representative claim would be sufficient to stop the limitation period running for subsequent members of the class bringing individual or group damages claims.) The question for claimants, and their funders, will be whether it is economically viable for claims to be brought on that basis.
The potential significance of a contrary finding by the Supreme Court, allowing such claims to proceed on a fully opt-out basis, is demonstrated by the facts of this case. The Supreme Court noted that, while the amount of damages recoverable per person would have been a matter for argument, the figure of £750 advanced by the claimant would have produced a damages award in the order of £3 billion, based on the purported represented class of 4 million people. The case turned on a group of iPhone users in England and Wales and how their data was collected and used in late 2011 and early 2012. Clearly, even a much lower damages figure would have resulted in a significant overall award.
The case was brought under the Data Protection Act 1998 (DPA), rather than the GDPR which superseded it (and which has been incorporated into UK law post-Brexit). While there may be read across to the current UK GDPR regime, Lord Leggatt specifically stated that he was not considering the later legislation (ie, the GDPR) and this could potentially leave the door open for future loss of control claims under the GDPR. The compensation regime under that legislation expressly refers to compensation being available in relation not only to material damages but also “non-material damages”. Further, the recitals specifically reference loss of control over personal data as an example of possible damage resulting from a personal data breach. As this language was not considered in the Supreme Court’s judgment, this could be a battle ground for future claims.
Clients and contacts of Herbert Smith Freehills are invited to join us for two webinars in which our experts on privacy, data security, litigation, class actions and insurance will discuss the judgment and what it means for commercial parties: the first at 4pm, today (10 November) to give a first response to the decision and take questions; and the second at 9am next Wednesday (17 November) to pick up on the broader impacts of the judgment.
Click here for an in-depth briefing on the ruling and its background on our litigation blog