On November 10, the United Kingdom (U.K.) Supreme Court issued a decision in Lloyd v. Google LLC, UKSC2019/0213 (Supreme Court of the United Kingdom), recognizing that the loss of control of personal data by consumers alone is insufficient to establish damages to enable a claimant to show he had the "same interest" in a claim to pursue a representative action on behalf of 4.4 million Google users who allegedly had their internet activity tracked without their knowledge or consent. In other words, the Court found that each member of the proposed class would need to prove his/her individual damages, thus precluding the use of a representative action. In this regard, the U.K. Supreme Court's rejection of the claimant's loss of control of data damage theory is analogous to similar theories that U.S. district courts have rejected as insufficient to satisfy the predominance requirement to certify a class under Fed. R. Civ. P. 23(b)(3). See e.g., McGlenn v. Driveline Retail Merch., Inc., No. 18-cv-2097, 2021 U.S. Dist. LEXIS 9532, *29-30 (C.D. Ill. Jan. 19, 2021) (finding the plaintiff has not satisfied the predominance requirement under Rule 23(b)(3) because there was insufficient evidence that a number of individuals suffered a compensable injury); Fero v. Excellus Health Plan, Inc., 502 F. Supp. 3d 724, 744 (W.D.N.Y. 2020) (finding no predominance where the “[p]laintiffs have failed to offer any classwide theory as to how any alleged misrepresentations and/or omissions by BCBSA caused any injury to [the] [p]laintiffs").
In Lloyd, consumer activist Richard Lloyd, with the financial backing of the commercial litigation funder Therium Litigation Funding, IC, alleged that from June 2011 through February 2012, Google bypassed iPhone users' default privacy settings and collected their web browsing data without consent in violation of DPA 1998 Section 4.4.  Mr. Lloyd sought to recover damages on his own behalf and as a representative of every iPhone user in England and Wales, totaling approximately 4.4 million people.
Recognizing that U.K. law does not allow class-action litigation in the field of data privacy matters, Mr. Lloyd tried to pursue a representative action on behalf of all iPhone users from Wales. Specifically, Mr. Lloyd invoked Rule 19.6 of the U.K. Civil Procedure Rules (CPR 19.6), which permits an individual to pursue a claim on behalf of one or more persons who have the same interest. Mr. Lloyd contended, among other things, that the same interest requirement under CPR 19.6 was present because damages under DPA 1998 could be award on a uniform basis for loss of control of personal data without the need to investigate any circumstances particular to any individual. Mr. Lloyd argued that compensation of the sum of £750 to each class member was the appropriate compensation and therefore sought a judgment of just over £3 billion for the loss of control of data.
To pursue his claims against Google, a Delaware corporation, U.K. law first required Mr. Lloyd to seek the court's permission to serve Google with the lawsuit. Google opposed Mr. Lloyd's application on the basis that the lawsuit had no real likelihood of success, and therefore, permission should be denied. First, Google argued that uniform damages were not available because DPA 1998 required a finding of each individual's direct damages from the breach. Second, Google argued that because DPA 1998 required a finding of each individual's direct damages from the breach, the members of the class and Mr. Lloyd could not share the "same interest" in their claims against Google under CPR 19.6 to proceed on a representative basis. Google prevailed on both of its arguments in The High Court of Justice Queen's Bench Division, but it had both of its argument rejected upon review by the Court of Appeal. The matter was then taken on appeal to the U.K. Supreme Court.
The Supreme Court's Decision
In its decision, the U.K. Supreme Court reviewed the history of CPR 19.6 and focused on "the same interest" element of the representative claim. The Court held that while CPR Rule 19.6 could be used to determine if each individual in the class had suffered loss of control of personal data, it could not be used to award damages to each of the individuals. The Court stated that if the matter was bifurcated, the representative model could be used to determine that each class member's rights under DPA 1998 were violated, but it could not be used to award damages for the violation. The Court noted that Mr. Lloyd did not request this bifurcation model, commenting that this likely occurred because it would not generate a financial return for Mr. Lloyd and his financial backer.
The Court then examined Section 13 of DPA 1998 and held that individuals are only entitled to damages under the act if they can show they suffered damages as a direct result of the violation. The Court stated that DPA 1998 required "proof of material damage or distress" by each individual for the individual to recover under the act. The Court held that because individual showings of damages were required, Mr. Lloyd's attempt to pursue the claims on a representative basis failed.
As summarized by the Court, Mr. Lloyd's arguments failed because "the Claimant (Mr. Lloyd) [sought] damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach."
Lloyd's recognition that damages under DPA 1998 can only be awarded when an individual has suffered distinct harm is consistent with other European jurisdictions that require evidence of specific damages or emotional distress to pursue a claim under DPA 1998. It also is analogous to U.S. courts' recognition that class treatment in a security incident case can be defeated where there are questions on whether a number of plaintiffs have suffered any compensable injury.
Indeed, Lloyd reaffirmed that class-action litigation seeking to assert data privacy rights is unlikely to succeed in the U.K. While the Lloyd Court's holding did not bar the representative model altogether, it did remove the economic incentive in pursuing claims on such a basis when direct damages are nonexistent or difficult to establish in a uniform manner.
Of course, it is possible that the Lloyd decision could spur the U.K. Parliament to pass a class-action litigation regime for data privacy rights. The Lloyd Court's holding recognizes that such a regime, as currently exists for competition law, could be enacted by legislation. It also could spur greater regulatory action by the ICO in matters where there are DPA 1998 or GDPR violations, but no distinct damages. If Parliament passes legislation or the ICO is motivated to initiate more regulatory actions, it could eliminate the security that the Lloyd decision currently provides to businesses.
 The DPA 1998 was replaced by the U.K. General Data Protection Regulation (GDPR), as supplemented by the Data Protection Act of 2018.