Depending on your age, TikTok is likely to either be the most used app on your phone, or a complete and utter mystery. I won't tell you which camp I fall into. But for those of us who deal with privacy issues, can TikTok shed some light on the way data breach claims are being looked at by the courts? Charlotte Clayson and Kelly Matthews take a look.
In 2021, the Supreme Court judgment in Lloyd v Google LLC [2021] UKSC 50 came along and seemingly changed the data breach claim landscape for good. Before this, there was an increasing trend for high profile data and cyber breaches to end up in court: thousands, if not millions, of individuals would be represented by an individual bringing a claim on behalf of an entire customer base.
Then the Supreme Court dealt those representative actions a blow: these kinds of actions were seemingly not going to work where the claims were based on a simple 'loss of control' of the individuals' personal data. A number of similar representative style claims have since fallen by the wayside given the hurdles to be overcome in bringing these claims made them fairly unattractive for litigants and funders alike.
That's where TikTok comes in. Not with viral lip-syncing videos about the pit falls of privacy claims, but on the receiving end of one of the few representative actions still standing (SMO v Tik Tok Inc and Others [2022] EWHC 489 QB). Can a claim against a video streaming platform survive the blow dealt to representative actions by Lloyd v Google?
What's it all about?
The claim against TikTok is brought on behalf of a child, 'SMO', by her litigation friend, the former Children's Commissioner for England. SMO makes claims for misuse of private information and for breach of data protection legislation in the way that TikTok (and related companies) allegedly used the personal data of various TikTok account holders. The claim has been brought as a representative action where SMO represents all those who held TikTok accounts from 25 May 2018 (the date on which the GDPR came into force) and who were either aged under 13 years (users in the UK) or 16 years (users in the EEA). Damages are claimed for loss of control of their personal data. According to Mr Justice Warby in an earlier procedural hearing, the claim was 'clearly inspired by the representative action brought by the claimant in Lloyd v Google LLC'.
The defendants to this claim are based in various different jurisdictions, including the UK, Ireland, USA, Cayman Islands and China. There had been concerns around the effect that Brexit might have on the claim so for those reasons, SMO commenced the claim sooner than she might otherwise have done to take advantage of the Brexit transition period. However, this was before the Lloyd Supreme Court judgment was handed down. SMO needed the court's permission to serve the claim on the defendants in their respective jurisdictions and / or through their solicitors along with various extensions of time to allow the claim to continue, and that's what this most recent hearing was about.
Whilst the hearing did not focus on the substance of the claims, it marked an opportunity for privacy professionals to see what view the court might take on these kinds of representative actions in a post Lloyd and post GDPR world. In deciding whether to grant permission to serve the claim outside of the jurisdiction, the court had to consider whether there was a serious issue to be tried, and whether the Claimant had a good arguable case on the merits – was this representative action no better than fanciful in light of Lloyd?
Is the TikTok claim still alive?
SMO argued that this case was very different to Lloyd: it was brought by virtue of the new obligations under the post GDPR legislation rather than under the Data Protection Act 1998 as Lloyd had been; SMO had also brought a claim for misuse of private information, which was not a feature of the Lloyd litigation; the alleged unlawful processing by TikTok extended well beyond the remit of the processing in Lloyd; and it had better prospects getting over de minimis threshold.
Whilst it's important to note that the court only had oral representations from SMO in this hearing given the nature of the procedural issues, the judge agreed that based on what he had heard from SMO (and acknowledging that he will need to hear arguments from TikTok in due course) he was satisfied that there was a serious issue to be tried, despite the Supreme Court's judgment in Lloyd.
So, the TikTok claim lives to fight another day and Lloyd has not (yet) sounded the death knell for representative actions for 'loss of control' generally, particularly those brought under the post 2018 legislation.
For those considering a representative action in a data breach claim, the door seems to be very slightly ajar. But this is by no means the end. SMO will face a summary judgment and strike out application in the coming months, where TikTok will be seeking to persuade the court that the Lloyd judgment is the end of these claims, and SMO has no real prospect of succeeding. What the court decides will be of huge importance to privacy practitioners and large organisations alike – watch this space.
