Lloyd v Google: Supreme Court unanimously rejects representative action
With data breach claims on the rise, all eyes have been on the eagerly awaited Supreme Court decision in Lloyd v Google. Anticipated to have significant implications for organisations and data subjects alike, the coup for Google is likely to be of considerable relief to many organisations. We explore what the decision means and whether it is all good news.
Google is alleged to have installed software on Apple iPhones which bypassed protections in Apple’s safari browser enabling Google to track users across websites and with it, harvest data around their internet usage. Allegedly, this formed part of Google’s targeted advertising, benefitting them commercially.
Three individual claims were brought in the UK, all of which were settled. The claimant brought a representative action on behalf of himself and anyone else in England & Wales with an iPhone whose data was obtained without lawful consent.
The claimant’s contention was that it was not necessary to prove any damage as a result of the loss of control of data. Further, that the right to compensation was for the loss of control itself and, that a uniform sum of damages should be applied to that element which each and every individual within the action would receive. The figure of £750 was mooted as the uniform sum, meaning this claim alone would result in an award of damages in excess of £3 billion.
The claimant required permission to serve the Claim Form outside of jurisdiction. Whilst dealing with this as a preliminary issue, the Supreme Court had to determine whether the claim had prospects of success. They unanimously held that the claim had no real prospects of success and the claimant was refused permission to serve the proceedings outside of jurisdiction, bringing these claims to a conclusion.
The Supreme Court were extremely clear that the claimant could have advanced a claim in his own right and that itself had real prospects of success. However, given the construction of the Data Protection Act 1998 (‘DPA 1998’), an individual must prove the damage suffered. Given that the loss of control across this group was not uniform, it would not be possible to take a uniform approach to damages. Instead, damages have to be individually assessed taking into account the extent of the unlawful processing determined via:
Is this the end for low-level data breach claims?
Undoubtedly the decision closes the door on claims purely based on the loss of control of the data itself, restricting claimants to those who can only show not only that there was a breach, but also that it caused damage.
It remains for a claimant to prove the damage and this decision means they will now be faced with collating evidence in support of each and every claim.
Does the case apply to all data protection legislation?
No. Whilst Lloyd v Google relates to the DPA 1998, the principles appear analogous with DPA 2018 and the UK GDPR which supersede it. The Supreme Court did explore the question as to whether DPA 1998 allowed damages for distress, concluding that this was only in specific scenarios. In the context of the current legislation, this appears to be non-issue given that it specifically provides for compensation for both material and non-material damage.
Will we see another data protection group action?
Quite possibly, yes. A representative action can be brought to establish liability for a breach of data protection legislation and if successful, to seek a declaration that any member of that action who has suffered damage as a result is entitled to be paid compensation. The door remains open in this regard however, whether claimants’ solicitors will see this as an economic route where the initial decision would not itself guarantee an award for damages remains to be seen.
Lloyd v Google is undoubtedly another favourable decision for organisations. Clarity that loss of control of data does not confer an automatic right to compensation without the need to prove damage is a huge relief. Claimants are ring-fenced to those who suffered damage and there are clear challenges for them to overcome to succeed in data breach claims. We will continue to monitor the wider ramifications of this decision and whether it stifles data breach claims or instead causes a shift in claimants’ approach to them.
Quality Risk Lead - Corporate and Sector Risks
The service you deliver is integral to the success of your business. With the right technology, we can help you to heighten your customer experience, improve underwriting performance, and streamline processes.