UK Supreme Court ruling - a sigh of relief for data controllers

Lloyd v Google [2021]

This case review was co-authored by Sarah Hitchcock, Trainee Solicitor, London.

On 10 November 2021, the Supreme Court handed down its long-awaited decision in the data privacy case of Lloyd v Google. The case is of wide importance to the questions of whether compensation may be sought following data breaches and what constitutes the “same interest” required by the Civil Procedure Rules for individuals to rely on a representative action.

First instance judgment

Mr Lloyd pursued a representative claim against Google as a consumer champion on behalf of approximately 4.4 million iPhone users. He sought damages on the basis that the users’ data subject rights had been infringed. No user had suffered a financial loss and no distress was alleged. The court had to consider whether the claim had a reasonable prospect of success. This gave rise to the following issues that would be tested on appeal:

  • Whether Mr Lloyd had suffered “damage” within the meaning of s.13(1) of the Data Protection Act 1998 (DPA 1998).
  • Whether Mr Lloyd was entitled to bring a representative action because members of the class had the ‘same interest’ in the claim and were identifiable (per the requirements of the Civil Procedure Rules for representative actions).
  • Whether the court should exercise its discretion to permit the claim to continue as a representative action.

By Order dated 8 October 2018, the court found against Mr Lloyd on all three issues.

Court of Appeal

The claimant appealed.

The Court of Appeal held that damages are in principle capable of being awarded for loss of control of data, even if there is no pecuniary loss and no distress. It took the view that where a person’s data has economic value because it can be sold, loss of control of that data must also have a value.

Regarding the ‘same interest’ requirement, the Court of Appeal held that the claimants did have the same interest on the basis that they had all had their browser-generated information taken by Google without their consent and in the same circumstances. The claimants were also identifiable, as the data held by Google would identify who was in the class.

Google appealed to the Supreme Court.

Supreme Court

The Supreme Court unanimously allowed the appeal.

The Supreme Court held that "damage" for the purposes of s.13 DPA 1998 means damage or distress, as distinct from and caused by the unlawful processing of personal data and not simply the fact of unlawful processing itself.

The Supreme Court also held in effect that the matter could not be advanced as a “one stage” representative action. The claimant was seeking damages for each class member on a ‘uniform per capita basis’, i.e. without an individual case-by-case assessment of damages. The Supreme Court disagreed that a uniform sum could be recovered and held that in assessing damages, it would be necessary to consider for each individual affected what unlawful processing had occurred.

Comment

The Supreme Court decision will be welcomed by data controllers and insurers. A right to compensation following a data breach is not automatic and the requirement to prove financial loss or distress to bring claims under s.13 of the DPA 1998 has been affirmed, limiting the class of persons able to bring damages in such cases.

Future claims are likely to arise under the UK GDPR regime, where Article 82 provides that a person who has suffered material or non-material damage as a result of an infringement of its provisions shall have a right to compensation. The Supreme Court judgment is clear that the decision was made with consideration to the DPA 1998 only. The applicability of the decision to cases brought under UK GDPR is now likely to be widely under active consideration.

The decision reinforces the sense that UK is unlikely to see a trend towards US-style opt out class actions being pursued in the courts. The judgment suggests that representative claims in which damages rather than just findings of liability are sought, may be difficult, at least for data breaches.

Related items: