Meta: Cracking the door open for data-related class actions?

The announcement on 14 January 2022 of a proposed competition collective action against Meta (formerly Facebook) is the latest in a number of collective actions against the tech giants, including Apple^[1] and Google^[2], and is of particular interest owing to the subject matter – namely data collection practices.  It marks the first foray of competition collective actions into the area of data privacy and coincides with the Supreme Court’s decision in Lloyd v Google^[3] which appears to limit the scope for collective data privacy claims under the CPR 19.6 representative action mechanism.  In this article, we look at the expansion of the competition collective proceedings regime and consider the risk that this presents to businesses in the form of collective actions relating to the use (or alleged misuse) of data.

The proposed collective action against Meta

The proposed collective action against Meta is currently at the pre-action stage and the precise details remain unknown at the time of writing.  However, the claim’s website explains that action will be brought by Dr Liza Lovdahl Gormsen (a competition law academic), that it will be for a minimum of £2.3 billion plus interest, and that it will cover around 44 million consumers (namely all UK users of Facebook between October 2015 and December 2019 now living in the UK).  The claim will be funded by Innsworth Litigation Funding. 

As to the basis for the action, the claim’s website asserts that Facebook breached competition law by abusing its dominant market position through imposing unfair terms and prices on users.  The claim is expected to allege that Facebook’s practice of only permitting access to its network in exchange for control of its users’ personal data was an “unfair bargain”, which allowed Meta to exploit users’ data to generate “excessive profits”.  It is a standalone claim, meaning that it does not rely on an existing finding of breach by a regulatory authority.  However, at the time of writing, a number of competition authorities, including the European Commission, the UK’s Competition and Markets Authority (the CMA) and Germany’s Bundeskartellamt, are or have been investigating whether aspects of Facebook’s data practices amount to an abuse of dominant position.^[4]

The rise of opt-out actions

The digital services market lends itself to opt-out litigation because a single breach of the law – be it data privacy law, competition law or other – is likely to affect significant numbers of consumers.  Although the loss suffered by each individual may be relatively small, and therefore not itself worth the effort of litigation, the loss caused to all individuals combined is likely to be much higher and renders group or collective litigation more economical to pursue.  Where collective actions are brought on an opt-out basis, they do not require affected consumers to take any steps to join the proceedings as those who fall within the definition of the represented class are automatically included in the action.  The recent increase in opt-out collective actions against companies providing digital services is no coincidence: claimant law firms and litigation funders have sought to pursue opportunities in this potentially lucrative area.  

Until very recently, US style “opt-out” collective litigation had not taken hold in the UK, due to the lack of suitable mechanisms for bringing such claims.  Although it is possible to bring opt-out representative actions under CPR 19.6, all class members need to have the “same interest”, which can be difficult to establish.  However, in 2015 the Consumer Rights Act introduced an opt-out procedure for collective actions to be brought in the Competition Appeals Tribunal (the CAT), for breaches of competition law.  Although this regime is relatively new, it is now gaining some momentum.

Competition collective actions in the CAT were given a significant boost at the end of 2020 when the Supreme Court in Merricks v Mastercard^[5] set the bar for certification of US-style “class actions” for competition law breaches at an apparently low level (see our previous article for further detail).  Following this decision, in 2021 the CAT certified a number of collective actions^[6] and saw six new claims being filed.  More certification decisions are expected in early 2022^[7].  Unless future case law sees the CAT approach the question of certification more strictly, the flow of cases is expected to continue.

In contrast, representative actions under CPR 19.6 suffered a setback at the end of 2021 following the Supreme Court decision in Lloyd v Google (see our previous article for further detail).  This case concerned a claim for breach of data privacy laws relating to Google’s alleged use of tracking cookies without an individual’s knowledge or consent. The Supreme Court held that Mr Lloyd’s claim could not proceed as a representative action for two main reasons: first, because loss of control damages were not available for breach of the applicable data privacy laws, and second, because even if they were it would still have been necessary to assess the extent of the unlawful processing in each individual case. 

The Supreme Court’s second reason for rejecting Mr Lloyd’s representative action highlights the more limited ambit of CPR 19.6 representative actions owing to the requirement that all claimants must have the “same interest”.  It is also in contrast to the approach which the Supreme Court took in Merricks v Mastercard, where it not only emphasised the appropriateness of a “broad axe” approach to quantifying damages, but also held that there does not need to be an individual assessment of loss (as damages awarded in competition collective proceedings need not follow the compensatory principle and can be on an “aggregate” basis, to the class as a whole).

Data-related collective actions (and more) through the back door?

With CPR 19.6 representative actions now appearing to be a less attractive option for data privacy collective claims, potential claimants and litigation funders may be considering whether the existing competition collective proceedings regime can stretch to accommodate types of data-related claims.

Time will tell whether this turns out to be the case, but the competition collective proceedings framework has proven to be a more powerful tool for claimants than anticipated.  At its inception, most practitioners expected the regime to be used primarily for cartel-type actions, following-on from existing findings of breach by regulators.  However, the past year has shown that claimants are willing to bring claims on a “standalone” basis (i.e. without an existing regulatory finding of breach) and are prepared to do so in areas of law which are not yet settled or which can be difficult to prove.

A number of recent competition collective proceedings, including the claim against Meta, concern allegations relating to abuse of dominance under Article 102 of the Treaty on the Functioning of the European Union and UK Chapter II prohibition in the Competition Act 1998.  The types of “abuse” caught by this regime have always been expressed to be non-exhaustive and, over the past few years, the courts and regulators have been willing to adopt a flexible approach to what amounts to abuse of dominance, considering issues on a case-by-case basis.  Overall, potential litigants may therefore view abuse of dominance claims as an opportunity to push the boundaries of competition law and, in turn, the scope of the collective proceedings regime.

The recent “boundary fares” collective action^[8] is a good example of this.  In this case, the alleged abuse of dominance is that the defendant train companies failed to make boundary fares sufficiently available to travelcard holders, who instead would purchase an entirely new ticket for the totality of the journey. The defendant train companies argued that the claims were unsustainable as they amounted to consumer protection claims rather than competition law infringements.  However, the CAT did not agree, holding that it was reasonably arguable that the train companies’ failure to do more to make boundary fares available amounted to an abuse of dominance.  In making this decision, the CAT noted that the law on what constitutes an abuse of dominance by imposing unfair trading conditions is in a state of development.

As noted above, although the precise details of the claim against Meta remain unknown (pending filing), it appears that the allegations will centre on an alleged abuse of dominance by Facebook through unfair trading conditions, which allowed Facebook to generate “excessive profits” from users’ data whilst providing them with no financial compensation.  If the proposed action against Meta is successful at the certification stage, the competition collective proceedings regime could well become the favoured new route for claims against large data controllers in cases where it can be shown that they have breached competition law.

The issue of access to data, and data privacy, represents a broader interest by litigants and regulators in addressing the activity of the large tech companies.  The big tech companies are also being targeted through emerging ex ante regulatory regimes, notably through the proposed Significant Market Status regime in the UK and the Digital Markets Act in the EU.  Although these regimes focus on competition, rather than privacy, it is expected that they will impose various data-related obligations on the big tech companies.  Interestingly, an amendment to the draft legislation proposed by the European Parliament also envisages that breaches of the Digital Markets Act could form the basis of collective proceedings – however it remains to be seen whether these proposals are included in the final version of the legislation, and whether the UK would follow suit.  The key point for now is that these new regulatory developments suggest a convergence between competition and data protection, such that addressing data privacy related issues in private competition law enforcement may well be the logical next step.

Conclusion

The setback which the Supreme Court decision in Lloyd v Google has presented for data privacy claims, combined with the approach the CAT has taken in recent certification hearings, provides a clear incentive for claims to be shoehorned into the competition law collective proceedings framework. It remains to be seen how far innovative claimant firms and funders are willing to push the boundaries of competition claims into the realms of consumer protection, but competition collective actions are likely to be an increasing risk for businesses with a dominant position in any particular market.

[1] Case 1403/7/7/21 Dr. Rachael Kent v Apple Inc. and Apple Distribution International Ltd

[2] Case 1408/7/7/21 Elizabeth Helen Coll v Alphabet Inc. and Others

[3] Lloyd v Google LLC [2021] UKSC 50

[4] The European Commission and CMA opened coordinated investigations on 4 June 2021 regarding Facebook’s collection and use of advertising data.  See an article written by our Hamburg team on the Budeskartellamt’s Facebook case here.  That case is currently on appeal before the Higher Regional Court of Düsseldorf, which referred certain questions to the EU Court of Justice in April 2021 for clarification.

[5] Merricks v Mastercard [2020] UKSC 51

[6] Merricks v Mastercard in August 2021; Justin Le Patourel v BT Group PLC [2021] CAT 30 in September 2021; and Justin Gutmann v London & South Eastern Railway Limited and Others  [2021] CAT 31 in October 2021

[7] Certification judgments are currently pending in 1282/7/7/18 UK Trucks Claim Limited v Stellantis N.V. and Others and 1289/7/7/18 Road Haulage Association Limited v Man SE and Others, 1336/7/7/19 Mr Phillip Evans v Barclays Bank PLC and Others, and 1329/7/7/19 Michael O'Higgins FX Class Representative Limited v Barclays Bank PLC and Others

[8] 1305/7/7/19 Justin Gutmann v London & South Eastern Railway Limited and Others