Data disputes: the scope for class actions

Direct link

Copy URL

Share on

Introduction

Collective proceedings before the UK’s specialist Competition Appeal Tribunal (CAT) are now worth a combined total of £160bn, it was reported earlier this year [1] – a phenomenal increase from the reported figure of £4bn in 2021. [2]

Many of these are claims against large technology companies. They include, for example, a £1.5bn claim against Apple in relation to its app store (Kent v Apple) [3], and a £13.6bn claim against Google in relation to its conduct in the advertising technology market (Ad Tech Collective Action LLP v Alphabet Inc.) [4].

Despite those developments, and despite the continued application of the General Data Protection Regulation in the UK (now as the ‘UK GDPR’), the explosion in competition litigation against big technology companies has not been matched by any similar increase in large-scale data protection litigation.

This absence is notable when viewed in a global context. In the US, for example, privacy claims are one of the fastest growing areas for class actions [5]. Recent examples include collective litigation accusing Apple of privacy violations over its voice-activated Siri software (recently the subject of a proposed $95 million settlement [6]) and a long-running action against Google and YouTube which raises allegations of alleged privacy violations, unjust enrichment, and violations of consumer protection laws in relation to the collection of children’s personal data [7].

This article explores the ways in which UK class actions in relation to data disputes have chafed against the procedural restrictions which apply to class actions under UK law and explores the possibility of such claims being brought into the fold of the rapidly growing UK competition class action scene.

Data protection and group claims

UK data protection law has long prohibited various forms of mishandling, unlawful accessing, and exploitation of personal information; and there have been various efforts to bring collective proceedings for such violations. The 2020 Supreme Court case of Morrisons v Various Claimants [8] stemmed from a data breach in 2013, when a disgruntled Morrisons employee downloaded payroll data relating to around 100,000 colleagues to a personal device, later posting it online and distributing it to the media. Following a criminal conviction, more than 5,000 of the affected Morrisons staff members issued proceedings against the company, alleging vicarious liability for statutory duties under the (since repealed) Data Protection Act 1998. The headline conclusion was that vicarious liability was not made out on the facts. But the case did demonstrate the possibility of a group litigation order (GLO) under Part 19 of the Civil Procedure Rules (CPR) being deployed for a mass data protection claim.

Group litigation orders

A GLO is an order which provides for the case management of “claims which give rise to common or related issues of fact or law” (CPR 19.21) – a relatively broad definition, by virtue of the words “common or related”. The limitation of the GLO from the perspective of a would-be class action representative (or funder) is that they are ‘opt-in’: claimants must take active steps to become part of the litigation. The same is true of cases in which multiple claimants use a single claim form or are individually added to a claim.

A requirement that affirmative steps be taken by every claimant may be a surmountable hurdle where the group is comprised of several thousand employees, all of whom have some connection with one another. Less so, however, when the potential class is comprised of tens of millions of strangers. Given that data protection claims may be worth no more than a few hundred pounds per claimant (or less), significant funder returns are unlikely to be realised under an ‘opt-in’ mechanism.

Representative actions

The attention of data protection litigants has therefore focused instead on an alternative type of CPR procedure: the representative action. This form of action requires no affirmative steps to be taken by group members – it is ‘opt-out’. The sticking point is that the test for a representative action is much more stringent than the GLO requirement of “common or related issues”. For a representative action under CPR 19.8, every member of the represented group must share the “same interest” in the claim.

At first blush, one might expect individuals affected by the same data breach, or by the same data protection infringement, to have the “same interest” in a claim. The English courts, however, have found otherwise – and in doing so, have dealt severe blows to group data litigation in the UK.

The landmark case in this area is Supreme Court’s judgment in Lloyd v Google. [9] This was a claim in which it was alleged that Google had secretly tracked the internet activity of iPhone users. In a landmark judgment, the Supreme Court held that the “same interest” requirement was not satisfied, because the entitlement to compensation under the Data Protection Act 1998 required individualised assessment: the impact of the loss of control over personal data was not uniform across the members of the representative action group. It followed that it was impossible for a single judgment to bind the entire group, and the claim could not continue as a representative action.

In the face of an individualised assessment under data protection law, litigants turned to the law of tort, launching a representative claim alleging misuse of private against Google and DeepMind on behalf of approximately 1.6 million individuals whose health-related data had been transferred to these entities without their consent. In December 2024, however, the Court of Appeal determined (in Prismall v Google [10]) that to meet the “same interest” requirement, each member must have a realistic prospect of establishing their claim. In circumstances where misuse of private information requires that there be a reasonable expectation of privacy in respect of the information – an inherently individualised question (even, the Court held, for health data) – there was no real prospect of the “same interest” being established across the entire group.

Two doors are left ajar by this line of caselaw. First, the Supreme Court in Lloyd specifically raised the possibility of members of the class having the “same interest” in a particular legal issue, such as whether conduct was lawful, without being entitled to the same level of compensation. A court could determine the common question, and group members could then bring their own individual claims for damages (which would likely be immediately settled or the subject of successful summary judgment). The wrinkle in this apparently sensible approach is that it leaves no room for funder return: who would pay for this declaratory relief? The scope for ‘bifurcation’ is, it seems, likely to be limited to crowd-funded public interest litigation.

Secondly, the Lloyd judgment technically only determined the compensatory conditions under the Data Protection Act 1998. The commencement of the litigation preceded the advent of the GDPR, which permits compensation for “material and non-material damage” (at Article 82). Some have floated the idea that the (UK) GDPR might permit damages for loss of control without individualised evidence of distress, thereby reopening the possibility of a representative action. Thus far, however, English courts have poured cold water on this possibility, emphasising that something more than a mere infringement of data protection law is required in order for damages to be awarded. But the November 2024 judgment in Case VI ZR 10/24 from the German Federal Court of Justice [11] surprisingly decided (without reference to the Court of Justice of the EU (CJEU)) that damages could be awarded for loss of control per se. There is at least some possibility that the scope for representative actions for data protection breaches may yet be revived – given that data protection law in the UK and EU still remain very much aligned.

Data protection claims in the CAT?

In the meantime, however, the key practical takeaway for both data protection and competition lawyers is that the CAT may well become a new forum for mass data protection claims. The CAT class action procedure, introduced in October 2015 through an amendment to the Competition Act 1998, can be applied to claims that the CAT considers “raise the same, similar or related issues of fact or law and are suitable to be brought in collective proceedings” (section 47B(6) Competition Act 1998). Political proposals to intentionally extend this mechanism into data-related disputes have been unsuccessful, [12] but the CJEU’s 2023 landmark judgment in Meta v Bundeskartellamt (ECLI:EU:C:2023:537) made it abundantly clear that data protection issues are very much on the table for competition regulators: indeed, non-compliance with the GDPR may be a “vital clue” that conduct is anti-competitive.

Meta is now facing an ongoing class action in the UK for conduct which is substantively similar to that addressed in Bundeskartellamt. [13] In its judgment refusing Meta permission to appeal against the CAT’s grant of permission for the claim to go ahead on a collective basis, the Court of Appeal recognised that “this is an area of law which is, par excellence, new and evolving. The use of data as a proxy for monetary payment is a rapidly increasing phenomenon of modern digital life and as such it is generating a range of new legal issues” which may fall to be considered within the existing competition law framework. [14] In light of those developments, and given the various procedural blockers to mass data protection claims in the civil courts, UK litigants taking issue with big technology companies’ data practices may find it increasingly attractive to put their cases in competition terms.

By Aislinn Kelly-Lyth