In Lloyd v Google [2021] UKSC 50 the Supreme Court was faced with a case alleging breach of millions of people’s data rights by Google. The Claimant, on behalf of all individuals affected, sought damages flowing from such breach. The damages, when added together, were said to be in the order of £3 billion.

To risk oversimplification, the nub of the case was that an advertising cookie was placed on the Safari browser of iPhone users in 2011 and 2012 without their knowledge or consent. This allowed Google to sell their browsing data for significant commercial gain to advertisers. The number of such users was claimed to be around 4 million.

Mr Lloyd claimed to represent those millions of iPhone users, in a type of case known as a “representative action”. This is where an individual sues on behalf of a class of people whose rights have been alleged to be infringed in the same way. The specific breach alleged was that of section 13 of the Data Protection Act 1998. For these purposes I do not need to reproduce it, not least because this scheme has been replaced by the GDPR and so the relevance of its detail is historic only. Nonetheless, the court made important observations in relation to how individuals affected by breaches of their personal data may seek redress. This case therefore has both a representative actions side to it and a data protection/privacy side to it.

Representative actions

The possibility of one litigant representing millions to sue an organisation for possibly billions of pounds is, needless to say, a matter of importance to those selling, operating, or putting their hardware or software into AEVs.

The main requirement for a representative action to go ahead is that all individuals within the represented group have “the same interest” in the litigation. Lord Leggatt, giving the unanimous verdict of the Court, concluded after much discussion that this meant that individuals within the group could not have conflicting interests by reference to the litigation itself. However, they could have interests among themselves which diverge, so long as that does not get as far as there being any conflict of interest. For example, individuals seeking to establish liability against a fraudulent director who diverge on how any such damages should be awarded amongst themselves may form a class for the purposes of a representative action against the director so long as that action does not extend to assessing how to divide the proceeds between the separate claimants.

The Supreme Court particularly noted that the representative procedure need not be “opt-in”. That is, a person can claim to represent millions, even if they have no idea that they are being represented. However, because the representative procedure is flexible, it is always open to a judge to require the procedure to be opt-in, or to impose a requirement to notify members of the class of the proceedings and establish a simple procedure for opting out of representation.

Importantly for AEVs which are due to be rolled out to millions of people within the UK, Lord Leggatt observed that key objectives such deciding cases fairly and expeditiously, and saving time and expense, are likely to militate in favour of allowing a claim, when practicable, to be continued as a representative action rather than leaving members of the class to pursue claims individually.

Such guidance is likely to encourage the use of the representative procedure. The Supreme Court itself gave the example of a notional product liability case where thousands of products have the same defect, which has reduced the products’ value by the same amount, as being suitable for the representative procedure. There should therefore be no doubt that where there is a breach affecting a number of AEVs, it will often be deemed appropriate for a party claiming to represent the thousands or millions of affected AEV users to carry on a case on their behalf.

There is, however, one main limitation to the use of the representative procedure. This limitation doomed Mr Lloyd’s case. The award of damages in relation to each individual case must not require individualised assessment. For example, a claim for distress requires individualised assessment of the severity of the data breach and therefore how much distress it caused. The Supreme Court rejected the Claimant’s submission that a minimum value could be set to any given data breach. In short, this is why the Claimant lost. I should note that courts are very likely to interpret the equivalent provision in the GDPR (Article 82) the same way. This is because Article 82 appears equivalent in its material respects to Article 13 of the Data Protection Directive. It therefore would appear very difficult – but not impossible, as I will go on to argue – for claims in future based on data breaches to be made for damages using the representative procedure.

Protection of personal data and privacy, including in relation to AEVs: options for future claims

The Supreme Court made several comments about how an individual may claim damages in a case such as this for the loss of control of their data. One option is for individuals to make separate claims on the basis of distress suffered as a result of breach of data protection laws. An alternative, which Lord Leggatt canvassed even though this had not been claimed, was the tort of misuse of private information.

The essence of this tort is where information over which an individual has a reasonable expectation of privacy has been used in such a way as to infringe that individual’s right to privacy. The collection and use (including for profit) of private browsing histories, as well as numerous other instances of data breaches, would fall under this definition in principle.

It had already been established that in appropriate cases damages for misuse of private information – unlike in data protection, as the Supreme Court in Lloyd decided – may be awarded without the requirement of proving distress or financial loss. In addition to the established categories of loss, Lord Leggatt considered that “user damages” may be awardable in misuse of private information cases.

User damages may be awarded to compensate a claimant for interference with their right to control the use of property where the right is a commercially valuable asset. The Supreme Court considered that personal data, in the context of commercial selling of such data to advertisers, would naturally lend itself to an award of user damages. User damages are to be assessed by estimating what a reasonable person would have paid for the right to use the data. Accordingly, this Supreme Court decision adds a potentially valuable head of loss to all such future claims where profit is made out of the breach of an individual’s data rights. It is easy to see the relevance of this to AEVs.

Of course, in cases occurring in the GDPR era, a company would not only need to think about cases being brought against them in relation to data breaches. This is because the provision is made in the GDPR for hefty administrative fines by the ICO: £17.5 million or 4% of annual global turnover, whichever is greater.

A possibility for the representative procedure to be used in future data protection/privacy cases?

The reason why the representative procedure may have been considered by the Claimant in Lloyd as unsuitable for cases of misuse of private information, Lord Leggatt conjectured, was because there would be a need to establish the reasonable expectation of privacy in each individual case.

However, it is not clear to me why a class could not be defined appropriately so that a court could say of all members of that class that they by definition had a reasonable expectation of privacy over the data that had been misused. One example might be if the class were to be defined as individuals whose sensitive personal data had been wrongly processed. The therefore may still be life in the prospect of representative actions being brought in the field of personal data, including in relation to AEVs.


From the perspective of companies selling or operating AEVs, Lloyd v Google represents a benchmark case in both fields of representative actions and data protection. In short, the following relevant points emerge from the Supreme Court’s judgment:

1. It will very often be deemed appropriate for one representative to sue on behalf of a class of thousands or millions, including those who have not opted into the litigation (“the representative procedure”). This is because key objectives, such as deciding cases expeditiously and fairly, and saving time and expense, will often militate in favour of using the representative procedure. This guidance is likely to encourage its use in the future;

2. There will be significant difficulties, however, for such a procedure to be used following a breach of data protection. The key point which Lloyd v Google established is that there is no right to compensation without proof of material damage or distress when a data controller breaches an individual’s data rights. This stymied the Claimant’s attempt to use the representative procedure, for which there is a requirement that damages need not be individually assessed. While this case was decided under the previous data protection regime, it is likely that the same approach would be taken to cases under the GDPR.

3. Misuse of private information may apply to data breaches: the Supreme Court’s decision in Lloyd v Google establishes that “user damages”, namely damages reflecting the notional price that a reasonable individual would pay to use such data, can be claimed on top of damages for distress or in the absence of such, the breach of privacy itself, and any financial loss suffered. It remains to be seen whether this will considerably increase the value of claims under this head for relevant data breaches.

Paul Erdunast

Image by www_slon_pics from Pixabay

You may also like...