Class action data breach litigation under CPR 19.6 is given the green light by the Court of Appeal in Lloyd v Google

By Louise Lanzkron, Theo Cooper


The recent judgment by the English Court of Appeal in Lloyd v Google LLC [2019] EWCA Civ 1599, a large-scale data breach claim, provides helpful insight into the operation of CPR 19.6. CPR 19.6 allows individuals with the 'same interest' to be made a party to a claim in a representative capacity. Following the enactment of the Data Protection Act 2018 ('DPA'), these types of large-scale data breach claims are expected to increase dramatically but the operation of CPR 19.6, especially with regard to how the class with the 'same interest' is to be identified, and the pecuniary relief sought for each member of the class, has been a cause of concern. Lloyd v Google, although decided under the Data Protection Act 1988 rather than the DPA, is very helpful in determining whether the representative class in large-scale data breach actions has the 'same interest' and whether the class is readily identifiable in accordance with the criteria set out in CPR 19.6. 

Background to the appeal

The claim, seeking damages for breach of statutory duty, is brought by Richard Lloyd, an ex-director of consumer rights group Which?, on behalf of over 4 million UK  iPhone users (the 'Representative Class'). The so-called 'Safari Workaround' allowed Google to set a cookie on the users' devices  circumventing Safari's default settings which blocked third-party cookies, enabling Google to gather data on the timing, and sometimes location, of the users' activity on certain websites. This browser generated information ('BGI') was used to create customer interest groups which advertisers would pay Google to target their advertisements against specific audiences. 

At first instance, the Judge held that Lloyd could not serve the proceedings on Google in the US as the claim did not fall within a specified jurisdictional gateway under CPR PD6B. This was because the judge considered that the facts alleged by the claimant did not indicate that 'damage' had been suffered by the Representative Class within the meaning of s13 of the DPA [1]. Lloyd appealed.

The Court of Appeal considered three issues in allowing the appeal:

  • Issue 1 - Could a claimant recover damages for the type of breach alleged?
  • Issue 2 – Did members of the Representative Class have the same interest and were they identifiable under CPR 19.6?
  • Issue 3 – Is it open to an Appellate Court to exercise its discretion afresh in these circumstances?
Issue 1 - Could a claimant recover damages for the type of breach alleged?

In allowing the appeal, the Court of Appeal ruled that a loss of control of personal data alone could constitute damage for the purpose of the claim, even in the absence of pecuniary loss. The court considered that BGI had its own inherent economic value as it was capable of being sold, and that each claimant had lost the right of control over their own private BGI. The Court of Appeal accepted that the case of Gulati [2] was applicable by analogy to the facts before it. Although Gulati was a case about Misuse of Private Information ('MPI'), rather than a decision on the DPA, the Court accepted that both MPI and s.13 of the DPA emanate from the same core rights to privacy under European law. Gulati was authority  that damages for MPI are available without proof of pecuniary loss or distress, and therefore the Court said that "it would be wrong in principle if the Representative claimants' loss of control over BGI data could not, likewise, for the purposes of the DPA, also be compensated"[3] . The Court held that in the circumstances, this breach could constitute loss for the purpose of the DPA entitling the innocent party to compensation under s13 of the DPA.

Issue 2 - Did members of the Representative Class have the same interest under CPR 19.6?

Having established that the High Court was wrong to find that no damage arose from the  breach, the Court of Appeal reconsidered the ability of the claimants to form a representative group under CPR 19.6. The Court of Appeal held that the judge at first instance had interpreted the phrase 'same interest' too narrowly, as a result of his (incorrect) interpretation of lack of 'damage' for the purpose of the claim. The court accepted that the damage to each claimant was the loss of control of their BGI, taken by Google without their consent. This was a common loss originating from the same alleged wrong, taking place in the same circumstances and within the same period of time for each claimant. Sir Geoffrey Vos stated in his judgment: 

'… once the claim is understood in the way I have described, it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest[4] .'

The court did acknowledge the possibility that individual claimants may, due to their own personal circumstances, have suffered particularly great loss or distress as a result of the breach. This would entitle the claimant to a greater sum than what would be available as a uniform award under a representative action. However, the court pointed out that the limitation period has now expired and 'represented claimants could, at least in theory, seek to be joined as parties if they wished to claim additional losses'. The court expressed that the purpose of the uniform sum was to account for the basic breach against every claimant for the loss of control of their personal data. 

Throughout consideration of the issue under CPR 19.6, the Court of Appeal referred back to well-established legal principles, citing case law from as early as 1901[5] . It is apparent from this judgment that the court considered this issue one of general principle and not a development or expansion of representative claims under English law. Along these lines, Sir Geoffrey Vos expressed: 

"It seems to me that allowing a representative action in a case of this kind is not so much an exception to the rule … but rather an application of the rule[6] ."  

Was the Representative Class identifiable?

In addressing whether the representative class was 'identifiable', the Court of Appeal held that the only requirement was whether any given person qualified for membership of the representative class because they had the same interest as Lloyd at all stages of proceedings. This was satisfied on the facts as Google held data relating to which users' BGI had been gathered. While there may be incidents of misremembering or attempts to abuse the categorisation, these are practical difficulties and do not make the representative class any less identifiable. The Court of Appeal emphasised that, according to case law, the number of claimants cannot impact the ability to use the representative action procedure.

Issue 3 – Is it open to the Appellate Court to exercise its discretion afresh?

Lastly the Court of Appeal considered the High Court's exercise of discretion in the circumstances. The Court of Appeal commented that the High Court was highly likely to have been influenced on this issue by its other findings, namely that the claimants have neither the same interest under CPR 19.6 nor a uniform actionable loss. On this basis the Court of Appeal decided to exercise its own discretion. As a representative action was the only way that these claims could be pursued, and that the action was proportionate to the widespread and repeated breaches of Google's obligations regarding user data, the claim was allowed to proceed.
Does this herald the start of a tidal wave of class action data breaches?

This decision gives clarity to the circumstances in which representative parties with the 'same interest' can bring an action under CPR 19.6, and its applicability to modern data breaches. It is particularly noteworthy that the Court of Appeal presented its decision as a natural application of existing legal principles. Up until this point it has been very difficult to show that claimants all have the 'same interest' under CPR 19.6. This decision will go some way to clarifying how claimants can create a class with the same interest to form a representative action, although at the time of writing, an application to appeal the judgment before the Supreme Court is pending, on which a decision is expected by February 2020.   

Commentators speculated that the arrival of the GDPR would result in a tidal wave of data privacy class actions, but as we wrote last year this is still to materialise in huge numbers . However, data breach claims are on the rise. In October the English High Court held that approximately 500,000 customers could bring a Group Litigation Order claim against British Airways under CPR 19.10. The claimants allege that British Airways allowed their personal and payment details to be fraudulently gathered by hackers in breach of the GDPR . As the use of personal data by businesses comes under greater scrutiny, and following the introduction of  the GDPR, it is likely that  the frequency of such class action type claims will  increase dramatically in future whether under CPR 19.6 or by way of a Group Litigation Order.

For further disputes related know-how Login or Register to Disputes+ Bird & Bird's dedicated DR know-how portal.


[1] S.13 of the DPA provides that an individual who suffers damage by a data controller by reason of any contravention of the requirements of the DPA is entitled to compensation for that damage from the data controller. The data controller here is Google.

[2] Gulati v. MGN Limited [2015] EWHC 1482 (Ch)

[3] Para 57 of the judgment

[4] Para 75 of the judgment

[5] The Duke of Bedford v. Ellis [1901] A.C. 1; Markt & Co v. Knight Steamship Company [1910] 2 K.B. 1021; Emerald Supplies Ltd. V. British Airways plc [2011] Ch 345 (among others)

[6] Para 78 of the judgment