Member Article

We consider the first post Lloyd v Google decision considering loss of control damages under the GDPR and Data Protection Act 2018 and its implications for the future of data and privacy litigation.

It suddenly became much more difficult to bring collective privacy claims in England in November last year when Google succeeded in the Lloyd v Google litigation before the UK Supreme Court. In Lloyd, the Court held that a collective claim brought on behalf of Safari browser users claiming damages for loss of control of their data as a result of Google’s “Safari workaround” failed because (1) damages for loss of control per se were not recoverable under the Data Protection Act 1998 (DPA 1998 – the UK data protection legislation in force at the relevant time) and (2) a collective action could not proceed because in the absence of a loss of control claim and damages suffered by individual claimants would be for different amounts making the claim unsuitable for a class action.

Claimant privacy lawyers have been looking for alternative basis for bringing claims since Lloyd and once of the arguments which has been developed is that the position is different for post-GDPR claims brought under the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR, now UK GDPR). This argument has been considered by the High Court for the first time in SMO (A Child) v TikTok Inc & Ors¹.

Tiktok is a pre-Lloyd decision collective claim brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of all children in the UK and the EEA that used the TikTok app after May 2018. It claims damages for breach of the DPA 2018 and misuse of private information arising from TikTok’s alleged misuse of children’s data without parental consent.

As in the Lloyd claim, the claimants in TikTok had to apply for leave to serve various TikTok entities out of the jurisdiction and one of the factors the Court had to decide when considering the application was whether the claimants could demonstrate that there was a “serious issue to be tried on the merits” (a test which, as the Court confirmed, is materially the same test as that for Summary Judgement – which is “whether there is a real (as opposed to fanciful) prospect of success”).

Lloyd had ultimately been dismissed at this stage on the basis that the claimants’ loss of control claim did have a realistic prospect of success. The court in TikTok was less sure.

The claimants’ argument

Whilst the provisions are superficially similar, the claimants argued that the remedy under Art 82(1) of the GDPR was materially different from the claim under s.13 of the DPA 1998 considered in Lloyd due to the GDPR’s express acknowledgement that individuals could recover damages for “non-material damage” and language in Recitals 7, 75 and 85 of GDPR. In particular, Recital 85 of GDPR can be read as referring to “loss of control” of data being a form of damage which might result from a data breach.

With regard to the difficulties in showing that the class members had suffered the same loss, the claimants argued that their situation was different because it involved data regarding their actual use of TikTok and that, if they were forced to proceed on the basis of a loss of control claim alone, the damage suffered was more serious.

Judgement

Nicklin J found that there was a serious issue to be tried. However he reached this conclusion with considerable caution, relying primarily on the fact that he had only heard submissions from the claimant on the issue (whilst the UK-based TikTok entity had already been served and was represented at the hearing, it offered no evidence on behalf of the other defendants) and that to reach an alternative conclusion, he would effectively have had to make the defendants’ case for them.

Comment

Claimant lawyers will no doubt now argue that this decision reopens the possibility of loss of control claims post Lloyd. However it is difficult to place much reliance on Nicklin J’s judgement given the lack of argument on the defendants’ behalf and the greater significance of the decision is that it illustrates how arguments distinguishing Lloyd might be run in practice. That said, the defendants will now seek summary judgement at some point between May and July 2022, so there may not be a long wait for a more conclusive decision on this point.

In the meantime, the author’s view on the issues in the case are:

• The Supreme Court deliberately declined to address the position under the GDPR and DPA 2018 in Lloyd and the argument about the recitals was an obvious one flagged up by the author and other commentators when the decision was handed down. Given the continued proliferation of data claims, this is clearly an important issue which should be decided by the Courts.
• The author’s view is that the rights to compensation under the DPA 1998 and DPA 2018 are closely analogous (particularly given the recognition that distress only damages were in fact recoverable under the DPA 1998 in Google v Vidal Hall prior to the coming into force of GDPR) and it is difficult to argue that a right to claim damages for loss of control can be inferred from a recital, which is itself open to interpretation.
• Even if this point was resolved in favour of the claimants, it is difficult to see how a representative claim could proceed in its current form, given the requirement that claimants in collective claims suffered the same loss. Children will have spent different amounts of time using the platform and would have had different browsing activities, with the result that the amount of data they generated differed so, on the face of it, it seems they would have suffered different loss.
• However, the argument that, even if the claimants’ have not all suffered the same loss, the claim should proceed because they all a have “lowest common denominator” claim for loss of control may be more attractive than the similar argument in Lloyd given the stricter approach to the handling of children’s data.

So the possibility of collective privacy claims on the Lloyd v Google model lives on for the time being. In the meantime, it is clear that a number of claimant firms are exploring pursuing collective claims via Group Litigation Orders and/or two stage collective claims, in which they seek to establish liability on a collective basis with quantum issues to be determined at a later stage.

If none of these methods of seeking redress get off the ground it seems likely that pressure will build on the Information Commissioner's Office (ICO) to take more rigorous enforcement action against tech companies’ use of customer data. Whilst it is clearly undesirable that technical or inadvertent breaches of data protection law should automatically result in widespread data subject class actions (which would have been an implication of Lloyd going against Google), there is a clear public interest that some form of sanction against tech companies which misuse personal data at scale, which the regulator must address if the courts are unable to.

¹[2022] EWHC 489