The Supreme Court yesterday handed down its much-anticipated judgment in Lloyd v Google LLC  [2021] UKSC 50. This seminal judgment provides welcome clarity on the principle that damages for alleged breaches of data protection legislation cannot be claimed without demonstrating pecuniary loss or distress. It also provides welcome guidance on the Court’s approach to “opt-out” representative data actions.

Background

Mr Lloyd sought to bring a representative claim under CPR 19.6 (which allows representative claims on behalf of individuals with the “same interest”) against Google. The claim sought damages on behalf of more than 4 million Apple i-Phone users for alleged breaches of section 4 of the Data Protection Act 1998 (DPA 1998). The individuals concerned allegedly had their browser generated information collected and utilised by Google as part of the “Safari Workaround” without their knowledge or consent. This data, which included details of the sites they had visited, their browsing habits and their approximate geographical location, was then aggregated into different groups, allowing advertisers to target various market segments.

There was no suggestion that any of the affected individuals had suffered any pecuniary loss, or even that they had suffered distress or inconvenience as a result. Instead, damages were sought for breach of statutory duty under the DPA 1998, or simply the loss of control of the data.

Prior to being considered by the Supreme Court, the case had been through the High Court (which found in Google’s favour) and the Court of Appeal (which reversed the High Court’s decision). Please see our previous article for further information about these previous decisions.

On appeal the Supreme Court was asked to consider the following issues:

  • Are damages recoverable for loss of control of data under section 13 of the DPA 1998, even if there is no pecuniary loss or distress?

  • Was Mr Lloyd entitled to bring a representative claim in circumstances where it was not clear that all 4 million iPhone users affected had the “same interest”?

  • If the “same interest” test could be satisfied, should the Court exercise its discretion and disallow the representative action to proceed?

“Same interest” for representative actions

Lord Leggatt, delivering a unanimous judgment, confirmed his view that the representative rule should be treated as a “flexible tool of convenience” and “applied to the exigencies of modern life as occasion requires”. The requirement to have the “same interest” under CPR 19.6 simply means that the litigation will proceed in a way that protects and promotes the interests of all in the represented class, and that there is no conflict of interest between them.

Where the same interest requirement is satisfied, the Court held that allowing a representative claim may well be appropriate. However, this will only be the case if the damages claimed can be calculated on a basis common to all of those represented (rather than requiring an individual assessment). In circumstances where individual assessment of damages is required, the Court said it was theoretically possible to have a two-stage approach whereby issues of law and fact could be determined by a representative action, followed by individual claims for damages by members of the represented class.

Could damages be calculated on a common basis in this claim?

Theoretically the Supreme Court could see no objection to a representative claim proceeding to determine if Google was in breach of the DPA 1998, and seeking a declaration that any member of the class who had suffered damage would be entitled to bring a separate claim for compensation.

However, it noted that this was not how Mr Lloyd has chosen to frame his claim, as this was likely to be uneconomic and unattractive for litigation funders. Rather, he had sought to attribute a uniform level of damages to each member of the class, based upon the idea of loss of control, without any evidence of actual loss being provided.

The Court readily accepted that Mr Lloyd in his own right, or any individual member of the class may well be entitled to damage under s13(1) of the DPA 1998 for distress, or else for misuse of their private information. However, both of these claims would require evidence as to how the individual members of the class were impacted which had not been provided.

Damages for loss of control

The Court firmly rejected the idea that damages would be available for a mere “loss of control” of data. In relation to the DPA 1998, Lord Leggatt stated that the legislation “cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement”; in other words there is no entitlement to compensation purely on the basis that there has been a contravention.

Lord Leggatt also rejected the argument that damages for breach of data protection legislation should be aligned with damages for misuse of private information: “Stripped to its essentials, what the claimant is seeking to do is to claim for each member of the represented class a form of damages the rationale for which depends on there being a violation of privacy, while avoiding the need to show a violation of privacy in the case of any individual member of the class. This is a flawed endeavour.”

The Court further commented that in any event, even if damages for loss of control were theoretically recoverable, evidence would still be required as to the extent of the unlawful processing to enable damages to be quantified.

Commentary

Although the judgment relates to the DPA 1998, the same principles apply under the UK General Data Protection Regulation. Data controllers will breathe a sigh of relief following the clear decision from the Supreme Court that damages cannot be sought for mere loss of control of personal data. The Court made it clear that, in theory, representative claims can be brought in such instances to determine legal liability. However, the requirement to provide evidence as to the actual loss sustained by each class member in order to claim damages should help reduce the likelihood of representative actions against common data controllers.

Whilst this is a welcome development, we cannot underestimate the ingenuity of claims management companies specialising in data claims. Moving forward, this may result in an increase in the number of claims seen where damages for distress are sought as a result of technical breaches, and may further encourage claimants to rack up costs (for example, in commissioning expert reports in an attempt to demonstrate distress) to try to force data controllers into a commercial settlement. 

Claimants may also increasingly seek to frame their claims as those for misuse of private information.

However, coupled with the recent decision in Rolfe v VWV (read more here), data controllers are now in a strong position to reject those claims where there has either been no loss or distress, or the event complained about was a trivial or one-off data incident.  

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Date published

11 November 2021

GET IN TOUCH

RELATED INSIGHTS AND EVENTS

View all