Court Of Appeal Finds Claim For Damages For Loss Of Control Of Data Can Proceed As Representative Action Under CPR 19.6

The Court of Appeal has held that an action for alleged data breaches using the CPR 19.6 representative action procedure can go ahead, overturning the High Court's decision which had refused permission to serve the proceedings on the defendant in the US: Lloyd v Google LLC [2019] EWCA Civ 1599.

The decision is significant in finding that damages can be awarded to compensate for an individual's loss of control of personal data, without the need to establish financial loss or distress. That is contrary to the High Court's decision, which had found that the damage had to be something separate to, and caused by, the infringement. Although the case is brought under the Data Protection Act 1998 (“DPA”), rather than the GDPR which has superseded it, it seems likely that a similar approach will apply to claims under the GDPR.

The decision is also of interest in establishing that claims for data breaches may be able to proceed on what is effectively an “opt-out” basis under the CPR 19.6 representative action procedure, instead of requiring claimants to use the group litigation order (or “GLO”) procedure. Unlike a GLO, which requires individual claimants to take steps to join the group action, there is no need under CPR 19.6 for the represented class to be joined as parties to the action or even to be identified on an individual basis. That means it is very much easier to get a financially viable claim off the ground.

It should not be assumed, however, that this decision will lead to a flood of mass damages claims being brought using the CPR 19.6 representative action procedure. The decision leaves intact the strict “same interest” requirement, which means that the procedure cannot be used where class members' losses must be determined individually, or where there may be different defences to the claims. That requirement is very unlikely to be met for most causes of action, where there is likely to be some variation between individual claimants' circumstances. Even in claims for data breaches, it is implicit in the decision that the CPR 19.6 procedure could not have been used if the claimants were seeking damages for financial loss or distress, as these will vary depending on personal circumstances.

Julian Copeman, Harry Edwards, Miriam Everett and Maura McIntosh consider the decision further below.

Background

Richard Lloyd, a former executive director of the UK Consumers' Association, has brought the present claim against the defendant Delaware-resident corporation on behalf of a class of more than four million UK-resident iPhone users. The claim alleges that the defendant secretly tracked some of their internet...