My 2021 predictions highlighted the courts as an option for claimants seeking redress when their data rights were infringed. The case against TikTok is an example of this. The High Court has allowed the Children’s Commissioner for England to launch a class-action style lawsuit against TikTok, on behalf of a specific claimant (the 12 year old girl referred to in the headlines) and on behalf of “all other children under 16 years of age who were users of TikTok”. The case aims to build on Lloyd v Google, so is unlikely to progress until the Supreme Court rules in that case.

The legal context for Lloyd v Google and this TikTok case show why cases of this type are so significant:

  • English civil procedure rules create an ‘opt in’ system for class-action style lawsuits. This requires lawyers to find and persuade individuals claimants to ‘opt in’. In contrast, the US system allows members of a class to be included by default unless they opt out. Lloyd v Google could nudge the UK towards a more US style system. Depending on the outcome in the Lloyd v Google case, the Children’s Commissioner’s claim could relate to a very large group.
  • The Lloyd case may also provide some guidance on damages. Both Mr. Lloyd and the Children’s Commission argue for damages on the basis of harm caused by the ‘loss of control’ over data. The GDPR cites loss of control as an example of non-material harm (see Recital 85), but the courts would need to determine whether damages are recoverable and, if so, the appropriate amount. Mr Lloyd is arguing for £750 for each of the roughly 4 million people he seeks to represent.

Taking these points together, businesses could find themselves the hook for huge sums. The total award for damages would (roughly) be equal to the number of people in the class multiplied by the quantum of damages. That could leave Google with a £3 billion bill if the court accepts Mr Lloyd’s argument.

Floodgates for the Class-action Style Lawsuit?

But there is concern about opening the floodgates. We’ll need to wait for the Supreme Court’s decision before we can fully understand the impact of this new type of lawsuit. In the meantime, businesses can take steps to manage the risk. Appropriate data governance processes, including transparency measures, could allow controllers to show that they communicated effectively with individuals to explain what data is collected, how it is used and how it is protected. That could minimise the risk of claims for a ‘loss of control’.

Stay tuned for more policy perspectives by subscribing to our blog or following our Data Policy Network.