UK: Lloyd V Google – Searching For Data Breach Compensation?

Lloyd v Google [2021] UKSC 50

BLM's Data Breach Unit provides full analysis of today's Supreme Court decision

The Supreme Court has today unanimously allowed Google's appeal against a Court of Appeal judgment that would have allowed a representative action to be pursued against Google by approximately 4 million iPhone users in relation to Google's unauthorised collection of their data.

This is welcome news for Google and any organisation that handles significant amounts of data or bases its business model on the use of personal data (as well as their shareholders and/or insurers). Had the Supreme Court upheld the Court of Appeal's judgment they could have faced a situation where effectively every data breach involving the personal data of large numbers of people could have led to US-style "opt-out" class actions.

The facts

Mr Lloyd (backed by a commercial litigation funder) was seeking to bring a representative action against Google on behalf of millions of Apple iPhone users. It was alleged that between late 2011 and early 2012 Google had collected data from users of Apple's Safari browser without their knowledge or consent. It was argued that, by utilising that data for commercial purposes, Google (as a data controller) breached its data protection obligations under the Data Protection Act 1998. 

This claim has been closely tracked by those with an interest in group actions and/or in data protection claims as class actions of this nature are very unusual in the UK and are essentially "opt-out"; they are the closest we have to US-style class actions. Moreover the issues being considered by the Supreme Court were likely to require an evaluation of the extent to which claimants who do not suffer substantive harm or loss as a result of a breach of their data privacy rights should nonetheless be entitled to compensation.

Route to the Supreme Court

Google initially succeeded in persuading the High Court that the action should not be allowed to proceed – the court seemed to take the view the claim was simply a fee generating exercise for lawyers and funders. Mr Lloyd appealed and was successful in the Court of Appeal, which exercised its discretion to allow the claim to be pursued. It felt that there should be a remedy where a large number of individuals had lost control of their data as a result of the unlawful actions of a third party who had used that data without their knowledge or consent, whether or not they had suffered any damage or distress.

Decision of the Supreme Court

Google's appeal to the Supreme Court has been successful – less than a tenth of the way through the judgment the court made its position quite clear; given the way in which Mr Lloyd had framed the claim he had failed to show, in any individual case (1) that Google had unlawfully used that individual's data and (2) that the individual had suffered any material damage or distress as a result. Those failures were fatal to the claim; the claim had no real prospect of success and would not be given permission to proceed.         

Representative actions

The Supreme Court emphasised that Mr Lloyd can pursue a claim against Google in his own right but could he do so on behalf of other iPhone users via a representative action? The relevant procedural rules require the claimants to have "the same interest" in the claim.  If that test is met then whether to allow the claim to proceed is a matter for the court's discretion.

Mr Lloyd argued that the "same interest" requirement was satisfied and that a representative action could be used to recover a uniform sum of damages for each individual without the need to investigate and prove their individual circumstances.

The Supreme Court appears to have acknowledged that it might be possible to adopt a two stage approach, with stage 1 being a claim for a declaration that Google was in breach of its data protection obligations and stage 2 being assessment of the individual claims for damage. However Mr Lloyd had not adopted that approach (perhaps because funding stage 1 might have been difficult as no damages would be awarded and because funding millions of small claims as part of stage 2 might be uneconomic); he sought a determination as to both liability and damages – that, the court said, was not suitable for a representative action.

The generic facts alleged against Google did not establish that there had been unlawful processing by Google of data of which any specific individual was the subject.

Both parties accepted that there is a threshold of seriousness that must be surmounted before a breach of the Act will give rise to a claim for compensation. The court was not satisfied that had been established here for each individual case – there was no proof of unlawful processing of an individual's personal data beyond the bare minimum to put them within the ambit of the represented class – on that basis there was no prospect of meeting that threshold. 

Damages for breach of data protection rights   

As to damages more generally a robust position was maintained that requires an individualised assessment, with the participation of the individual concerned. This meant that a representative action was not a suitable mechanism for pursuing such claims (as opposed to a claim relating to a faulty product where each product had the same fault and the same loss of value).

To avoid the need for individual assessment Mr Lloyd had adopted what was described as the "bottom up" approach – claiming damages for each individual on a uniform basis (put in the correspondence at £750 per head).

However, the Act (at section 13) provides that an individual is only entitled to compensation where "damage" or, and only in in certain specific circumstances, "distress" is suffered as a result of the breach. Mr Lloyd argued (i) that such "damage" included "loss of control" over personal data and (ii) that interference with a claimant's rights was damage. 

Again, that approach was rejected; "damage" was intended to be limited to material damage (such as financial loss) and distress distinct from, and caused by, unlawful processing of personal data in breach of the Act.  Accordingly damages for simple "loss of control" of data are not recoverable under the statutory framework. Unlawful processing itself was not damage. Section 13 "...cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned".  

What this means for you

As a starting point it is worth bearing in mind that this was a claim in which the claimant side were trying to persuade the court to allow them to pursue a claim on behalf of approximately 4 million people and that these were claims solely for breach of the DPA 1998.  Any other procedural structure would have been uneconomic but this meant that they needed to show that the claimants had the same interest.

Any business will recognise the enormous threat posed by the prospect of an incident affecting thousands or even millions of people leading to one vast claim by all of them. Even at £750 per head the claim against Google would have been worth approximately £3 billion.

Fortunately the court was unable to see a way in which all of the claims could be pursued together in one go. This was, in essence, because (i) the court rejected the argument that the mere fact that there had been a breach was sufficient to entitle an affected individual to compensation under the Act (ii) the court also rejected the suggestion that loss of control of personal data was damage for the purpose of the Act and (iii) the court said that assessing damages in such claims requires consideration of what information was involved, what use was made of it, over what period and what commercial advantage was gained. That was likely to be different for each individual and made these claims inherently unsuitable for a one-stage representative claim. 

For businesses facing claims based on large-scale breaches this judgment will come as an enormous relief. It will also provide assistance for those facing claims by individuals claiming compensation under data protection legislation for loss of control of data or simply because their rights have been infringed. Whilst it is possible to understand how some information has a value (such as the information obtained by newspapers in the phone-hacking cases on which the claimant relied) it is often impossible to see how the disclosure of anodyne information about an individual can have caused damage for these purposes. It should now be easier to defend such data protection claims.

The numerous claimant firms and funders who had been waiting in the wings for his judgment may now abandon plans to start claims factories churning out representative actions. This will be a huge relief for anyone facing the prospect of such claims. The spectre of individual claims remains though as this judgment does not stop individual claimants from pursuing claims for loss of control of information as claims for misuse of private information. However, these claims have their own hurdles to overcome. In the circumstances a significant battle has been won.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.