In 2021, the UK Supreme Court delivered a landmark judgment in Lloyd v Google LLC [2021] (‘Lloyd’), which concerns a claim issued by an individual on behalf of all of England and Wales’ iPhone users against Google for breach of data protection rights. This case note explores two key themes in the judgment, namely the award of damages for loss of control of personal data and the use of representative action. It then analyses the implications Lloyd has for the future development of data protection law.
Introduction
Lloyd v Google LLC (‘Lloyd’)1 concerns a claim issued by an individual on behalf of all of England and Wales’ iPhone users against Google for breach of data protection rights. The claimant, Mr Richard Lloyd, relied on Civil Procedure Rule (‘CPR’) 19.6,which governs the use of representative actions, to act as the representative of a class of more than four million Apple iPhone users in England and Wales in issuing a claim against the defendant, Google. He sought compensation under section 13 of the now repealed Data Protection Act 1998 (‘DPA 1998’), which provides that an individual is entitled to claim compensation when they have suffered ‘damage’ because of a breach of the Act by the data controller. Mr Lloyd claimed that there was such a breach under section 4(4) of the DPA 1998 as Google failed to comply with data protection principles by tracking the internet activities of iPhone users using a ‘DoubleClick Ad cookie’ without their consent and collecting users’ data for commercial purposes. He argued that the damage suffered by the affected users was a ‘loss of control’ over personal data, entitling them to compensation of an order of £3 billion.
This case note will analyse two key themes in the judgment, which rejected the decision of the Court of Appeal (‘CA’) and ultimately ruled in favour of Google. It discusses the first key question answered by the Supreme Court (‘UKSC’) on the award of damages for breach of data protection law and investigates the difficulty of claimants passing the high ‘damage’ threshold. It is proposed that courts should acknowledge the loss of economic value of privacy as a form of damage to provide compensation for data breach victims. The article then engages with the second key question regarding the use of representative actions in data breach claims and argues that the UKSC has adopted a conservative approach in interpreting the rule which may hinder data privacy protection. Lastly, the author examines how English data protection law may develop when the potential for mass harm has been increasingly pervasive in this digital age.
It should be noted that the UKSC confined itself to discussing the case under the old DPA 1998 (which was applicable at the time of the alleged breach) and made clear that it would not comment on the Data Protection Act 2018 (‘DPA 2018’), which replaced the DPA 1998 and implemented the General Data Protection Regulation (‘GDPR’). However, it is proposed that adjudication of cases relating to the DPA 2018 will likely follow the Lloyd judgment due to the fundamentally identical substance of the two pieces of legislation, which will be examined in this case note.
I. Damages for Loss of Control of Personal Data
The first key question addressed by the UKSC was whether compensation for ‘loss of control’ over personal data can be awarded under the DPA 1998 without evidence of damage or distress. It was not contested that Google’s action involved unfair processing of personal data, with the UKSC stating that ‘[t]here is no doubt that the claimant is entitled to advance a claim against Google on this basis in his own right which has a real prospect of success’.2 However, Mr Lloyd chose to launch a representative action and attempted to avoid individualised assessment of damage by showing that merely proving the breach itself – the loss of control of personal data – is sufficient to justify compensation.
In Lloyd, the UKSC interpreted the term ‘damage’ restrictively and reinforced the compensatory nature of the English law of damages,3 which potentially undermines the right to respect for the private life of Mr Lloyd (and that of other affected iPhone users). Mr Lloyd advanced his claim by relying on Gulati v MGN (‘Gulati’), wherein damages were awarded for the mere loss of control of personal data in phone hackings based on the tort of misuse of private information.4 He reasoned that since both cases concern an individual’s right to respect for private life, which is protected under Article 8 of the European Convention on Human Rights (‘ECHR’), the UKSC should adopt a similar approach to Gulati in the present case by awarding damages for the mere loss of control of personal data itself. However, the UKSC distinguished the cases by claiming that the nature of the informationaffected in the cases was different: personal data protected by the DPA 1998 is not necessarily private, while data protected by the tort of misuse of private information has a ‘reasonable expectation of privacy’.5 The UKSC held that just because both pieces of legislation serve to protect the same right does not mean that they must achieve this by the same means.6 As a result, the UKSC ruled that the term ‘damage’ in section 13 of the DPA 1998 must mean material damage or mental distress, not merely the unlawful processing of data itself,7 and consequently denied an award of damages to Mr Lloyd. The UKSC’s distinction between the factual scenario in Lloyd and that in Gulati, however, is problematic. By distinguishing the two cases on the basis of the different natures of the infringed data, the UKSC attempted to classify personal data according to their degree of privateness, implicitly legitimising the infringement of ‘less private’ data by data controllers.
The UKSC’s reasoning in Lloyd can also be found in a previous decision in Rolfe v Veale Wasbrough Vizards (‘Rolfe’), which is a claim for breach of data protection law concerning the new DPA 2018 and GDPR.8 In Rolfe, the defendant law firm accidentally sent an email demanding payment of outstanding school fees, which was meant to be sent to the Rolfe couple, to the wrong recipient. Despite the defendant’s immediate request for the recipient to delete the email, the couple still decided to bring an action alleging breach of confidence, misuse of private information, negligence and breach of the GDPR. The claim was dismissed on the basis that no damage or distress above the de minimis threshold was found, warranting the comment that ‘[i]n the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial’.9 What the two judgments have shown is the English courts’ insistence on upholding the traditional position in the law of damages that ‘all damages, with a few minor exceptions, aim to compensate loss’.10 However, in doing so, the courts failed to respect an individual’s fundamental right to respect for private life, which is ‘[o]ne of the key aims of the GDPR and the DPA’.11 This right is essentially concerned with protecting one’s freedom to choose whether others have access to one’s private life, regardless of the nature of the affected information or the extent of the violation. As a data controller, Google is obliged to respect such a right by following the principles included in the DPA 1998. The UKSC’s restrictive understanding of the term ‘damage’ in Lloyd is undesirable as it not only disregards the right to respect for private life, but also fails to recognise Google’s duty to comply with data protection principles.
Having established the need to respect the right to respect for private life, it is proposed that courts should interpret the term ‘damage’ with reference to the vindicatory function of the English law of damages to fully acknowledge the intrinsic value of privacy. Lord Hope in Chester v Afshar summarised the function of the law as ‘enabl[ing] rights to be vindicated and to provide remedies when duties have been breached’.12 The rights theorist Professor Robert Stevens went further and proposed that ‘damages are awarded, in the first instance, to vindicate the right violated’.13 The increasing emphasis on the law’s vindicatory function is reflected in Halliday v Creation Consumer Finance Ltd (CCF),14 in which Mr Halliday was wrongly recorded as a debtor by Creation Consumer Finance. After such information was shared with a credit reference agency, he sought to rely on the DPA 1998 to claim damages for distress suffered due to the harm to reputation and credit rating. The CA eventually concluded that the breach did not lead to loss of creditor reputation.15 Despite the lack of evidence of distress, the CA awarded compensation of £750 because ‘it is important to mark violations of this kind where there has been frustration’.16 The fact that the triviality of the breach did not bar the possibility of awarding damages reflects a data controller’s underlying duty of respecting the right to respect for private life, regardless of whether a loss is suffered by the data subjects.
In light of this, the CA in Lloyd was right to find that damages can be awarded for Google’s breach of data protection law without the need to prove any material loss or distress on the basis that there was economic value to a person’s control over personal information.17 This reasoning was also used by Lord Reed in One Step (Support) Ltd v. Morris-Garner, where he suggested that ‘the person who makes wrongful use of the property prevents the owner from exercising his right to obtain the economic value of the use in question, and should therefore compensate him for the consequent loss’.18 By assigning an economic value to the integrity of the affected private information, courts would thus acknowledge that the inherent value of privacy is lost when personal data is mishandled by a data controller.19 This leads to a common measure of damage, making it possible for data breach victims to receive compensation for the breach itself. The quantum of damages can then be determined by the nature of the affected information. It is precisely through this approach of awarding damages that the law can depart cautiously from the strict ‘damage’ standard and uphold the right to respect for private life. Yet, the fact that the UKSC was quick to dismiss Mr Lloyd’s claim shows courts’ hesitancy towards the protection of the right to respect for private life in the context of breaches of data protection law.
II. Use of Representative Actions in Data Privacy Protection
The second key question answered by the UKSC is whether a representative action is a suitable vehicle for breach of data protection law claims, such as that in Lloyd. Unlike the United States, where class actions are commonplace, the United Kingdom (‘UK’) is more restrictive with regards to the use of collective actions. To properly understand the English legal landscape for collective actions, it is helpful to look at the methods for seeking collective redress currently available in the English legal system:group litigation orders (‘GLOs’), representative actions and opt-out class actions (the last method being specifically for competition law claims). For breach of data protection law claims, one may proceed by either GLOs or representative actions. GLOs operate on an opt-in basis for claims which ‘give rise to common or related issues of fact or law’,20 while representative actions are an opt-out approach that can be advanced by individuals who satisfy the more demanding ‘same interest’ in a claim test pursuant to CPR 19.6.21 Each method has its limitations: while GLOs’ opt-in nature means that high administrative costs are incurred in gathering the class and hence making it less desirable in the eyes of litigation funders,22 the difficulty of forming representative actions has been reflected in Lloyd.
Mr Lloyd’s attempt to issue a claim through a representative action was described by the CA as ‘an unusual and innovative use of the representative procedure’.23 For the claim to proceed, Mr Lloyd would need to avoid individualised assessment of damages by showing that all members of the class had the ‘same interest’ in the claim. The CA attempted to define ‘same interest’ by referring to the latest authoritative statement found in Emerald Supplies v British Airways,24 which requires the identity of interest of the represented class to be ‘representative at all stages, not just at the end point of judgment’.25 This is a stringent requirement as the represented class are all victims of the same alleged wrong, but may not have suffered the same damage during the same period. This is where the overriding objective of the CPR is put into practice – as eloquently summarised by Lord Leggatt, a judgment in a representative action would bind all members of the represented class in order to ‘effectively promote and protect [their] interests’.26 Mr Lloyd attempted to overcome this hurdle by suggesting that all members suffered a loss of control of their personal data, thus having the ‘same interest’ in the claim. This argument was rejected by the UKSC because the nature and extent of data breaches suffered by users vary.27 However, by focusing on the superficial differences in the infringed data and not interpreting the rules governing the use of representative actions purposively, the UKSC failed to ‘effectively’ protect the interests of the users.
It is apparent from the Lloyd judgment that the UKSC has shifted towards conservatism when determining the applicability of opt-out class actions, especially concerning breach of data protection law claims. On the surface, the UKSC attempted to ensure that representative actions retain their value as ‘a flexible tool of convenience in the administration of justice’.28 While the CA adopted a flexible approach to allow the use of representative action by recognising that the ‘loss of control’ has a value and can be considered damage by referring to Gulati,29 the UKSC rejected this proposition and required specific proof of material damage or distress. The UKSC’s reluctance in grouping the iPhone users and awarding a uniform sum for damages without inspecting individual circumstances would most likely discourage collective claims for data privacy law breaches. Such an attitude can be explained from a practical perspective, which is concerned with the commercialisation of class action. In recent years, there has been a rise in class actions in the UK as the litigation funding market has significantly matured and the economic value of such claims has become more prominent.30 This is reinforced by the phenomenon that commercial litigation funders and claimant law firms are often the main beneficiaries of class actions as a large part of the awarded compensation is used to cover the legal costs. In Lloyd, Lord Leggatt condemned the representative claimant for consuming ‘substantial resources in the pursuit of litigation on behalf of others who have little to gain from it’.31
The UKSC’s attitude towards class actions is consistent with the government’s policy consideration – despite the Civil Justice Council’s concern that existing procedures do not provide ‘sufficient or effective access to justice’ for individuals and entities wishing to bring collective claims,32 the government refused the Council’s recommendation to introduce a generic class action procedure on the basis that there are ‘structural differences between the sectors’ and that there is a need for assessing economic and other impacts.33 Earlier this year, the Department of Culture, Media and Sport also concluded that there is insufficient justification for introducing new legislation in class claims for breach of data protection law.34 Whilst this has the benefit of preventing misuse of the court’s resources, difficult questions can arise in deciding when it is appropriate to address claims efficiently with the use of class actions. For example, is the commercialisation of class actions by litigation funders and claimant law firms still of concern if it can serve as an effective tool to combat problematic business practice in data processing? Furthermore, it is inaccurate to say that data subjects have ‘little to gain’ from commercialised representative actions when they can receive their deserved compensation for the infringement of their personal data through such procedure. As there is a growing use of online platforms, the possibility of mass data privacy infringement is increasingly high, with a notable example being the 2010 Facebook–Cambridge Analytica data scandal.35 This raises the concern that limiting the use of representative actions as these practical considerations may bring injustice to the broad spectrum of affected data subjects.
The broadly discouraging attitude of both the government and courts towards the use of class actions raises concern that there is little room for resolving disputes affecting a large group of people. It is perhaps useful to consider the policy considerations behind the suggestion of introducing an opt-out class action regime. During the Woolf reforms in the late 1990s,36 which were intended to reduce the cost and time courts spent on civil proceedings,37 Lord Woolf suggested that an opt-out collective redress regime would offer benefits for English civil procedure by making the process ‘more effective and efficient’.38 It is argued that the difficulty of initiating an opt-out class action in Lloyd fails to reflect ‘the very simplicity of the representative rule’ endorsed by Lord Leggatt,39 which may hinder the ‘most important policy objective’ of class actions—access to justice.40 This may also go against the aim of Article 80(2) of the GDPR, which provides that anybody has the right to lodge a complaint regarding an infringement of the protected rights of a data subject under the GDPR. In Lloyd, the UKSC attempted to remedy this problem by acknowledging the potential for a bifurcated approach,41 whereby a representative action can first be launched to determine common issues of fact or law, followed by an individual assessment of damages. Although this approach is theoretically possible, it is unlikely to improve access to justice through collective actions. In academic literature, the bifurcated approach has been endorsed by scholars such as Professor Rachael Mulheron. She argues that such a process should be adopted in cases like Emerald Supplies, in which questions of fact need to be proved before proceeding to the next stage of an individual assessment of damages.42 Indeed, such an approach can function as a halfway house between a fully ‘opt-in’ GLO or an opt-out representative action that poses a high threshold with the ‘same interest’ requirement. As the bifurcated approach allows a group of similarly affected individuals to bring their claims in a collective action and addresses wrongs that may be too insignificant to justify individual proceedings, it satisfies the primary goal of class actions and achieves what Lord Leggatt calls a ‘convenient administration of justice’.43 It also allows for an individualised assessment of damages according to circumstances personal to each claimant.
However, the bifurcated approach is unlikely to be a popular tool for group litigation as it is not economically viable.44 To begin such a process, the litigation funders would need to cover the administrative costs of finding evidence and verifying membership of the class. Even if liability were successfully established in the first stage where questions of fact are determined, no financial return would be generated. Moreover, funders will need to bear the risk brought about by the uncertainty surrounding the size of the class (and hence the potential amount of compensation). It would only be profitable for the funders if damages were awarded in the second stage where individual damages are assessed and successfully exceeded litigation costs. Given that there is usually a mismatch of resources such that most claimants are financially less capable than the defendant companies, the bifurcated approach is unlikely to be adopted if no litigation funders are willing to get on board.
Lloyd can be regarded as a test case in the rapidly developing area of data protection law. It is worth noting that in recent years, commercial litigation funders and claimant law firms have actively been seeking opportunities to form group actions for data breach claims, with some high-profile examples being against the likes of Facebook,45 British Airways46 and Marriott.47 Had Mr Lloyd’s claim succeeded, it would have created an even more fertile ground for class actions. The UKSC’s decision in Lloyd thus prevented a potentially massive increase in commercialisation of class actions by law firms and litigation funders by dismissing Mr Lloyd’s representative action, though possibly harming data breach victims’ access to justice.
III. Implications
Although the UKSC ultimately overturned the decision of previous courts and refused to allow Mr Lloyd’s claim to proceed, the judgment serves as a useful reminder that the significance of the claim in Lloyd was to provide a civil compensatory remedy for a ‘wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit’.48 Labelling class actions as commercialised civil lawsuits by litigation funders and claimant law firms appears to be an irony when data controllers are the ones profiting from the breaches in the first place. As the rapid development of digital technologies has contributed to the potential for mass violations of data protection law, there is a need for a more comprehensive framework to enforce existing data protection law. This is acknowledged by Lord Leggatt in Lloyd, where he commented that it is necessary to reconcile the ‘inconvenience or complete impracticality’ of litigating multiple claims with that of making every prospective claimant a party to a single claim.49 While Lord Leggatt went on to assert that the absence of ‘a detailed legislative framework’ is not reason to decline a restrictive interpretation of the representative rule, this article has provided valid reasons for adopting a flexible approach. As Lloyd was brought under the DPA 1998 which is no longer in effect, it is, therefore, necessary to evaluate whether the DPA 2018, which implements the GDPR, can better facilitate the protection of data privacy.
What implications does Lloyd carry regarding the future development of data protection law in the UK? Although Lloyd focused on the interpretation of section 13 under the old DPA 1998, which has been replaced by the DPA 2018, it is widely agreed that the court will most likely follow this precedent due to the fundamentally identical substance and approach of the two legislations.50 The equivalent provision in the DPA 2018, Article 82, is worded in similar terms: it provides a statutory right for compensation for ‘material or non-material damage’ for infringements of the GDPR. The two legislations share the same reasoning in the sense that they both distinguish between damage caused by the breach and the breach itself. However, recital 85 of the GDPR, which is a non-legally binding explanatory note, cites ‘loss of control over personal data’ as an example of non-material damage in the context of a data privacy breach. There is a potential for UK data protection law to diverge significantly from that of other European countries, as the UK courts are not obliged to refer to the recital when interpreting the DPA 2018 in future cases. The recital opens up a potential for claiming damages for the mere breach itself without the need for proving loss or distress, which then makes satisfying the ‘same interest’ test easier and enables the use of class action in data breach claims.
Conclusion
Through an analysis of the two key questions answered by the UKSC in Lloyd, this case note criticised the judgment for showing insufficient respect for the right to respect for private life as protected under the ECHR. It proposed interpreting the term ‘damage’ in a rights-based manner to properly acknowledge the right to respect for private life and to provide remedies for breach of data protection law victims. It also noted the increased difficulty in employing representative actions in data privacy claims through evaluating the Court’s shift towards conservatism in this aspect. Finally, it explored the possible manner in which the data protection law can develop. The outcome brought about by Lloyd is certainly a positive one for data controllers, but it also leaves open the possibility for claimants to test out the bifurcated approach in future breach of data protection law claims. In sum, Lloyd is an innovative but failed attempt to engineer an avenue for data breach group claims. It can be regarded as a reminder of the importance of protecting the right to respect for private life in this digital age, when individuals are exceptionally prone to privacy violations by data controllers.
[1] Lloyd v Google LLC [2021] UKSC 50. It should be noted that as Google is a Delaware corporation and based outside the court’s jurisdiction, Mr Lloyd required the court’s permission to serve the claim. At first instance, the High Court refused to grant permission, but this was overturned by the Court of Appeal. In April 2021, the UKSC gave its judgment in favour of Google and concluded that this claim had ‘no real prospect of success’.
[2] ibid [23] (Lord Leggatt).
[3] For more on the compensatory nature of the English law of damages, see Clare Connellan, ‘In a nutshell: claiming damages in United Kingdom’ (Lexology, 4 November 2019) <https://www.lexology.com/library/detail.aspx?g=910c3318-8df0-4f6a-9301-86719ae7307d> accessed 8 February 2022.
[4] Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2017] QB 149 [45] (Arden LJ).
[5] Lloyd (n 1) [130] (Lord Leggatt).
[6] ibid [124] (Lord Leggatt).
[7] ibid [117] (Lord Leggatt).
[8] Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809 (Master McCloud).
[9] ibid [13] (Master McCloud).
[10] Andrew Stephen Burrows, ‘Damages and Rights’ in Donal Nolan and Andrew Robertson (eds), Rights and Private Law (Hart 2012) 275-307.
[11] Joint Committee on Human Rights, The Right to Privacy (Article 8) and the Digital Revolution (2019–20, HL 14, HC 122), 7.
[12] Chester v Afshar [2005] 1 AC 134 [87] (Lord Hope).
[13] Robert Stevens, ‘Damages and the Right to Performance: A Golden Victory or Not?’ in Jason W. Neyers, Richard Bronaugh and Stephen G.A. Pitel (eds), Exploring Contract Law (Hart Publishing 2009) 171.
[14] Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333.
[15] ibid [33] (Lady Justice Arden).
[16] ibid [35] (Lady Justice Arden).
[17] Lloyd v Google [2019] EWCA Civ 1599 [68] (Sir Geoffrey Vos C).
[18] One Step (Support) Ltd v. Morris-Garner [2018] UKSC 20, [2018] 2 WLR 1353.
[19] Samid Hussain, ‘Legal and Economic Analysis of Personal Data–Related Collective Actions in the UK’ (_The National Law Review, 17 March 2021) < https://www.natlawreview.com/article/legal-and-economic-analysis-personal-data-related-collective-actions-uk> accessed 10 December 2021.
[20] Lloyd (n 1) [24] (Lord Leggatt).
[21] Sophie Walker, ‘Representative actions – “same interest” test proves a high bar’ (Allen & Overy, 2 December 2021)<https://www.allenovery.com/en-gb/global/news-and-insights/publications/representative-actions-same-interest-test-proves-a-high-bar> accessed 8 February 2022.
[22] Greg Beres, ‘To GLO or not to GLO: a funder’s perspective’ (Augusta Ventures, 4 October 2019) <http://disputeresolutionblog.practicallaw.com/to-glo-or-not-to-glo-a-funders-perspective/> accessed 14 March 2022.
[23] Lloyd (n 17) [7] (Sir Geoffrey Vos C).
[24] Emerald Supplies v British Airways [2010] EWCA Civ 1284.
[25] ibid [65] (Sir Geoffrey Vos C).
[26] Lloyd (n 1) [71] (Lord Leggatt).
[27] ibid [144] (Lord Leggatt).
[28] ibid [68] (Lord Leggatt).
[29] Lloyd (n 17) [47, 70] (Sir Geoffrey Vos C).
[30] Richard Hornshaw and Jenny Arlington, ‘The Rise Of Class Actions In The UK And Continental Europe: Risks And Opportunities’ (Risk and Compliance Magazine, March 2022) <https://riskandcompliancemagazine.com/jan-mar-2022-issue> accessed 16 January 2022.
[31] Lloyd v Google [2019] 1 WLR 1265 [102]-[104] (Lord Leggatt).
[32] Civil Justice Council, ‘Improving Access to Justice through Collective Actions. Developing a More Efficient and Effective Procedure for Collective Actions’ (November 2008) <https://www.judiciary.uk/wp-content/uploads/JCO/Documents/CJC/Publications/CJC+papers/CJC+Improving+Access+to+Justice+through+Collective+Actions.pdf > accessed 28 February 2022.
[33] Ministry of Justice, Government’s Response to the Civil Justice Council’s Report: ‘Improving Access to Justice through Collective Actions’ (July 2009) paras 12-13.
[34] Department for Digital, Culture, Media & Sport, ‘UK Government response to Call for Views and Evidence – Review of Representative Action Provisions, Section 189 Data Protection Act 2018’ (February 2021) <https://www.gov.uk/government/publications/call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018/uk-government-response-to-call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018> accessed 28 February 2022.
[35] Nicholas Confessore, ‘Cambridge Analytica and Facebook: The Scandal and the Fallout So Far’ The New York Times (New York, 4 April 2018) <https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html> accessed 8 February 2022.
[36] John Anthony Jolowicz, On Civil Procedure (Cambridge University Press 2000) ch 19.
[37] STA Law Firm, ‘Lord Woolf’s Reforms And Civil Procedure Rules 1998’ (Mondaq, 30 May 2018) <https://www.mondaq.com/uk/civil-law/705694/lord-woolf39s-reforms-and-civil-procedure-rules-1998> accessed 14 March 2022.
[38] Lord Woolf, Access to Justice: Final Report to the Lord Chancellor on the Civil Justice System in England and Wales (Her Majesty’s Stationery Office 1996).
[39] Lloyd (n 1) [68] (Lord Leggatt).
[40] Vince Morabito, ‘Statutory Limitation Periods and the Traditional Representative Action Procedure’ (2005) 5 Oxford University Commonwealth Law Journal 113.
[41] Lloyd (n 1) [48] (Lord Leggatt).
[42] Rachel Mulheron, ‘Emerald Supplies Ltd v British Airways plc; A Century Later, The Ghost of Markt Lives On’ (2009) 8 CompetitionLaw Journal 159, 171.
[43] Lloyd (n 1) [41] (Lord Leggatt).
[44] Jeremy Marshall, Anna-Maria Quinke and Maarten van Luyn, ‘Class and Group Actions Laws and Regulations European Class Actions: The Funder’s Dilemma’ (ICLG, 8 November 2021) <https://iclg.com/practice-areas/class-and-group-actions-laws-and-regulations/8-european-class-actions-the-funder-s-dilemma> accessed 15 March 2022.
[45] ‘Facebook faces mass legal action over data leak’ BBC (London, 16 April 2021) <https://www.bbc.co.uk/news/technology-56772772> accessed 28 February 2022.
[46] ‘British Airways data-breach compensation claim settled’ BBC (London, 6 July 2021) https://www.bbc.co.uk/news/technology-57734946 accessed 28 February 2022.
[47] ‘ICO fines Marriott International Inc £18.4 million for failing to keep customers’ personal data secure’ (ICO, 30 October 2020) <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/> accessed 28 February 2022.
[48] Lloyd (n 17) [86] (Sir Geoffrey Vos).
[49] Lloyd (n 1) [67] (Lord Leggatt).
[50] Sam Ellerton, ‘What the Lloyd v Google mass data privacy case means for businesses’ (Lockton, 23 December 2021) <https://global.lockton.com/gb/en/news-insights/what-the-lloyd-v-google-mass-data-privacy-case-means-for-businesses> accessed 16 January 2022; Ellie Fayle and Liam Hurren, ‘Lloyd v Google: Stepping back from the brink’ (Kingsley Napley LLP, 19 November 2021) <https://www.kingsleynapley.co.uk/insights/blogs/dispute-resolution-law-blog/lloyd-v-google-stepping-back-from-the-brink> accessed 16 January 2022. Marianna Ryan and Nick Philips, ‘Damages for Data Breaches – What if Lloyd v Google had been decided under the GDPR?’ (Edwin Coe LLP, 10 December 2021) <https://www.edwincoe.com/blogs/main/damages-for-data-breaches-what-if-lloyd-v-google-had-been-decided-under-the-gdpr/> accessed 16 January 2022.
Angelina Pang
LLB (LSE) ’24 and Junior Notes Editor of the LSE Law Review 2021-22