Earlier this week, the Lloyd v Google Supreme Court judgment was handed down in the long awaited £3b data breach case of Lloyd (Respondent) v Google LLC (Appellant).
In a decision that will ultimately cost several ATE insurance companies significant legal claims costs, and numerous other parties throughout the claimant chain without WIP, success fees, commission earnings etc, the Supreme Court unanimously allowed the appeal, and ruled in favour of Google.
This data breach case has been slowly moving through various courts and the legal system over the years, as it had potentially far-reaching consequences on other legal test cases surrounding data breach and GDPR claims that were either waiting in the wings, or already in the legal system. Many of these claims have similar characteristics of a mere loss or loss of control of their data, but without any actual harm (or damage) being done.
Background of Lloyd v Google Supreme Court judgment
The claimant, Mr Lloyd, a consumer rights activist and former director of Which, issued the claim alleging that Google had breached its duties that it owed to circa 4 million Apple iPhone users as a data controller under the Data Protection Act 1998 (the “DPA 1998”).
The period of this allegation was at some point during 2011 to 2012 when Google was allegedly able to collect and use their browser generated information as a result of a Safari workaround.
Mr Lloyd sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way and applied for permission to serve the claim out of the jurisdiction.
Back in October 2018, Mr Justice Warby ruled against granting permission to serve proceedings on Google in the US because there was not a reasonable prospect of the claim succeeding.
But this was later overturned by the Court of Appeal, which boosted the use of representative actions in claims such as these, where the court said there was no other practical way of pursuing them.
Lord Leggatt said there was “no legitimate objection to a representative claim brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation”.
But, overturning the Court of Appeal, he rejected Mr Lloyd’s attempt to “break new legal ground” by arguing that the principles applicable to the assessment of damages for misuse of private information at common law also apply to the assessment of compensation under section 13(1).
The three key questions addressed by the Supreme Court were:
Are damages recoverable under the DPA 1998 for “loss of control” of data, without needing to identify any specific distress or pecuniary loss?
Does the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed?
Should the Court exercise its discretion and disallow the representative action proceeding in any event?
Decision in the Lloyd v Google Supreme Court judgment
The Supreme Court unanimously allowed the appeal, in favour of Google. When handing down the judgment, it was announced that whilst a representative claim could have been brought to first establish a claim in principle against Google with a view to then pursuing individual claims once established, Mr Lloyd had not adopted this two-stage process. The Court emphasised the fact that Mr Lloyd had argued that the class could be assessed as one with a uniform sum being recovered, citing that £750 had been suggested in correspondence. It was the Supreme Court’s decision that the claim cannot succeed for two reasons, namely:
The claim is founded solely on s.13 DPA 1998 which provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.” The Supreme Court held that on proper interpretation of this section, the term “damage” refers to “material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself” [90]-[143]; and
The Supreme Court disagreed that a uniform sum could be recovered and held that it is necessary to prove what unlawful processing by Google of personal data relating to a given individual occurred. When the Supreme Court orally handed down the judgment, it was commented that things like the period of time, volume of data, whether any sensitive or private data was involved and what use or benefit it afforded Google would need to be considered per individual. Absent evidence of these matters, the individuals are not entitled to compensation.
In any event, the Supreme Court held that to receive compensation under the DPA 1998 for any individual “it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.” The Supreme Court’s judgment states that without proving either matter the claimant’s attempt to recover compensation is “doomed to fail”.
In summary, the Supreme Court refused Mr Lloyds application for permission to serve the proceedings on Google outside of the jurisdiction of England and Wales.
What is the impact of Lloyd v Google Supreme Court judgment
The Lloyd v Google Supreme Court judgment reiterates the need for claimants to demonstrate damages, whether they are in the form of distress or financial loss, to successfully claim pursuant to s.13 of the DPA 1998. The decision places boundaries around the categories of individuals who are likely to succeed in claiming damages and reinforces the de minimis approach taken by the courts to date. On the topic of damages, the Supreme Court held that “compensation can only be awarded under section 13 of the DPA 1998 for material damage or distress caused by an infringement of a claimant’s right to have his or her personal data processed in accordance with the requirements of the Act, and not for the infringement itself” [143].
This confirms that the right to damages pursuant to s.13 DPA 1998 is not automatic; the claimant must prove material damage or distress. This is likely to have a very significant impact on a number of existing claims and those waiting in the wings.
The Lloyd v Google Supreme Court judgment shows an unwillingness to group individuals and award a “uniform sum” for damages without properly inspecting the circumstances of their claims and requiring those circumstances to be proven. The Supreme Court provided some helpful guidance around the factors that may differentiate individual data subjects, such as the volume and categories of data, the sensitivity of that data and the benefit afforded to the data controller as a result of the misuse.
The decision that the representative action should not be allowed to proceed in any event is in line with the trend that “opt-out” representative actions, as seen in the US, are not commonplace in the UK data protection litigation landscape. This is consistent with the current climate in the UK and does not further open the floodgates for claimants to make claims on behalf of large swathes of individuals without those individuals first being identified and particularising their claim.
Richard Beaty, a consultant employed barrister and data protection expert at City firm Kennedys, said the decision should help “stem the tide” of low-value data protection claims for relatively minor infringements of data protection law, which he said was in danger of becoming the new whiplash.
“Businesses and insurers across the UK will be breathing a sigh of relief at today’s judgment, which signifies a return to orthodoxy in terms of causation in data protection claims,” he added.
“The ruling also slows the move towards allowing US-style opt-out cases in the UK.”