Popular search terms
Click each term for related articles
UK & Europe
Cyber Risk
Today, the Supreme Court handed down its judgment in the case of Lloyd (Respondent) v Google LLC (Appellant). The Supreme Court unanimously allowed the appeal, ruling in favour of Google. We have been tracking the case as it has been progressing through the courts due to its potentially far-reaching consequences, testing the extent to which damages may be awarded to individuals for the mere loss of control of their data.
Mr Lloyd, a consumer rights activist and former director of Which?, issued a claim alleging that Google breached the duties that it owed to over 4 million Apple iPhone users as a data controller under the Data Protection Act 1998 (the “DPA 1998”), during a period of some months in 2011-2012, when Google was allegedly able to collect and use their browser generated information as a result of a Safari workaround. Mr Lloyd sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way and applied for permission to serve the claim out of the jurisdiction. More information on the Court of Appeal judgment and the Supreme Court hearing can be found here and the three key questions addressed by the Supreme Court were:
The Supreme Court unanimously allowed the appeal, in favour of Google. When handing down the judgment, it was announced that whilst a representative claim could have been brought to first establish a claim in principle against Google with a view to then pursuing individual claims once established, Mr Lloyd had not adopted this two-stage process. The Court emphasised the fact that Mr Lloyd had argued that the class could be assessed as one with a uniform sum being recovered, citing that £750 had been suggested in correspondence. It was the Supreme Court’s decision that the claim cannot succeed for two reasons, namely:
In any event, the Supreme Court held that to receive compensation under the DPA 1998 for any individual “it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.” The Supreme Court’s judgment states that without proving either matter the claimant’s attempt to recover compensation is “doomed to fail”.
In summary, the Supreme Court refused Mr Lloyds application for permission to serve the proceedings on Google outside of the jurisdiction of England and Wales.
The judgment reiterates the need for claimants to demonstrate damages, whether they are in the form of distress or financial loss, to successfully claim pursuant to s.13 of the DPA 1998. The decision places boundaries around the categories of individuals who are likely to succeed in claiming damages and reinforces the de minimis approach taken by the courts to date. On the topic of damages, the Supreme Court held that “compensation can only be awarded under section 13 of the DPA 1998 for material damage or distress caused by an infringement of a claimant’s right to have his or her personal data processed in accordance with the requirements of the Act, and not for the infringement itself” [143]. This confirms that the right to damages pursuant to s.13 DPA 1998 is not automatic; the claimant must prove material damage or distress. This is likely to have a very significant impact on a number of existing claims and those waiting in the wings.
The Supreme Court’s decision shows an unwillingness to group individuals and award a “uniform sum” for damages without properly inspecting the circumstances of their claims and requiring those circumstances to be proven. The Supreme Court provided some helpful guidance around the factors that may differentiate individual data subjects, such as the volume and categories of data, the sensitivity of that data and the benefit afforded to the data controller as a result of the misuse.
The decision that the representative action should not be allowed to proceed in any event is in line with the trend that “opt-out” representative actions, as seen in the US, are not commonplace in the UK data protection litigation landscape. This is consistent with the current climate in the UK and does not further open the floodgates for claimants to make claims on behalf of large swathes of individuals without those individuals first being identified and particularising their claim.
The decision itself provides some very welcome commentary on damages for data protection claims and the approach to class actions in the UK and more analysis will follow as we digest this ground-breaking decision. This will include mapping out the impact as against the current regime pursuant to the DPA 2018 and the UK GDPR.
End