Lloyd v Google: Supreme Court unanimously rules in favour of Google

Today, the Supreme Court handed down its judgment in the case of Lloyd (Respondent) v Google LLC (Appellant). The Supreme Court unanimously allowed the appeal, ruling in favour of Google. We have been tracking the case as it has been progressing through the courts due to its potentially far-reaching consequences, testing the extent to which damages may be awarded to individuals for the mere loss of control of their data.

Background and Issues

Mr Lloyd, a consumer rights activist and former director of Which?, issued a claim alleging that Google breached the duties that it owed to over 4 million Apple iPhone users as a data controller under the Data Protection Act 1998 (the “DPA 1998”), during a period of some months in 2011-2012, when Google was allegedly able to collect and use their browser generated information as a result of a Safari workaround. Mr Lloyd sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way and applied for permission to serve the claim out of the jurisdiction. More information on the Court of Appeal judgment and the Supreme Court hearing can be found here and the three key questions addressed by the Supreme Court were:

1. Are damages recoverable under the DPA 1998 for “loss of control” of data, without needing to identify any specific distress or pecuniary loss?
2. Does the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed?
3. Should the Court exercise its discretion and disallow the representative action proceeding in any event?  

Decision by the Supreme Court

The Supreme Court unanimously allowed the appeal, in favour of Google. When handing down the judgment, it was announced that whilst a representative claim could have been brought to first establish a claim in principle against Google with a view to then pursuing individual claims once established, Mr Lloyd had not adopted this two-stage process. The Court emphasised the fact that Mr Lloyd had argued that the class could be assessed as one with a uniform sum being recovered, citing that £750 had been suggested in correspondence. It was the Supreme Court’s decision that the claim cannot succeed for two reasons, namely:

1. The claim is founded solely on s.13 DPA 1998 which provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.” The Supreme Court held that on proper interpretation of this section, the term “damage” refers to “material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself” [90]-[143]; and
2. The Supreme Court disagreed that a uniform sum could be recovered and held that it is necessary to prove what unlawful processing by Google of personal data relating to a given individual occurred. When the Supreme Court orally handed down the judgment, it was commented that things like the period of time, volume of data, whether any sensitive or private data was involved and what use or benefit it afforded Google would need to be considered per individual. Absent evidence of these matters, the individuals are not entitled to compensation.

In any event, the Supreme Court held that to receive compensation under the DPA 1998 for any individual “it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.” The Supreme Court’s judgment states that without proving either matter the claimant’s attempt to recover compensation is “doomed to fail”.

In summary, the Supreme Court refused Mr Lloyds application for permission to serve the proceedings on Google outside of the jurisdiction of England and Wales. 

What is the impact?

The judgment reiterates the need for claimants to demonstrate damages, whether they are in the form of distress or financial loss, to successfully claim pursuant to s.13 of the DPA 1998. The decision places boundaries around the categories of individuals who are likely to succeed in claiming damages and reinforces the de minimis approach taken by the courts to date. On the topic of damages, the Supreme Court held that “compensation can only be awarded under section 13 of the DPA 1998 for material damage or distress caused by an infringement of a claimant’s right to have his or her personal data processed in accordance with the requirements of the Act, and not for the infringement itself” [143]. This confirms that the right to damages pursuant to s.13 DPA 1998 is not automatic; the claimant must prove material damage or distress. This is likely to have a very significant impact on a number of existing claims and those waiting in the wings.

The Supreme Court’s decision shows an unwillingness to group individuals and award a “uniform sum” for damages without properly inspecting the circumstances of their claims and requiring those circumstances to be proven. The Supreme Court provided some helpful guidance around the factors that may differentiate individual data subjects, such as the volume and categories of data, the sensitivity of that data and the benefit afforded to the data controller as a result of the misuse.

The decision that the representative action should not be allowed to proceed in any event is in line with the trend that “opt-out” representative actions, as seen in the US, are not commonplace in the UK data protection litigation landscape. This is consistent with the current climate in the UK and does not further open the floodgates for claimants to make claims on behalf of large swathes of individuals without those individuals first being identified and particularising their claim.

The decision itself provides some very welcome commentary on damages for data protection claims and the approach to class actions in the UK and more analysis will follow as we digest this ground-breaking decision. This will include mapping out the impact as against the current regime pursuant to the DPA 2018 and the UK GDPR.