There has been a significant data protection related judgment handed down by the UK Supreme Court this morning (Lloyd v Google). Mr Lloyd wished to bring a representative (opt-out) action on behalf of several million iPhone users, on whose iPhones Google had placed cookies which tracked their data, allegedly without their consent. In a representative action it is necessary for all potential claimants to have “the same interest” in the claim and so Mr Lloyd’s proposed claim was limited to damages only for ‘loss of control’ of personal data, rather than financial loss or mental distress which may of course have been different among the class of potential claimants.
You can read a press summary of the Supreme Court judgment here, but the headline points are as follows:
- The Court unanimously allowed Google’s appeal, finding that in order for a claimant to obtain compensation for a breach of the Data Protection Act 1998 they must be able to show that they have suffered material damage (for example, financial loss) or mental distress.
- The Court therefore rejected Mr Lloyd’s argument that compensation could be awarded for the mere “loss of control” of personal data. In other words, the unlawful processing of personal data does not in of itself amount to a form of damage.
- The Court also said that in order for a claimant to recover compensation it was necessary to look at the individual circumstances of each potential claimant in terms of the impact of the unlawful processing.
- On that basis, the Court found that it was unsustainable for the claim to proceed without evidence of damage or distress, and therefore the claim had no reasonable prospect of success. The Court therefore found that the claimant’s application to serve the proceedings on Google outside the jurisdiction was rightly rejected by the first instance judge.
This judgment is positive news for data controllers and will likely make it much harder for claimant law firms and litigation funders to put together representative actions following data breaches or other infringements. This is because there would be a significant costs burden in establishing that there were applicable damages suffered across a group of claimants, therefore making the economics of such representative actions potentially non-viable. As a number of other current representative actions were put on hold pending the outcome of this case, the judgment will likely have an immediate practical impact for a number of organisations which have suffered data breaches in recent years.
The judgment related to the position under the old Data Protection 1998 rather than to the GDPR, and so there does remain the possibility that claimant law firms will seek to distinguish any claims made under the GDPR from the findings of the Court. However, given that the judgment required an assessment of the extent of the unlawful processing for each individual claimant, the practical economic challenges of bringing an action of this nature are likely to remain.
We will be publishing an article in due course with more detailed thoughts on the case. However, if you would like to discuss the implications of the judgment with us in the meantime please don’t hesitate to get in touch.
The attempt to recover damages without proving either what, if any, unlawful processing of personal data occurred in the case of any individual or that the individual suffered material damage or mental distress as a result of such unlawful processing is therefore unsustainable -. In these circumstances the claim cannot succeed and permission to serve the proceedings on Google outside the jurisdiction was rightly refused by the judge -.