The Supreme Court handed down the long-awaited decision in Lloyd v Google  UKSC 50 last week and unanimously allowed Google's appeal, rejecting Mr Lloyd's proposition that individuals are entitled to compensation under the old Data Protection Act 1998 (the DPA 98 or the Act) for "loss of control" of their data (that is for the simple fact of the data controller having committed a breach, without the claimant having to prove any resulting damage or harm).
Mr Lloyd, a consumer rights activist, sought to bring an opt-out “class action” against Google, seeking damages on behalf of the 4 million iPhone users affected by a Safari workaround utilised by Google between April 2011 and February 2012. The workaround bypassed iPhone privacy settings, allowing Google to place cookies which tracked users and collected a broad range of data from individuals without their knowledge or consent (which Google then effectively sold to third parties for the purpose of delivering targeted advertising).
Section 13 of the DPA 98 stated that individuals who suffered 'damage' as a result of a data controller's breach of its obligations under the Act were entitled to compensation. Historically, case law has interpreted the reference to damage as including financial damage or distress, without any indication of 'loss of control' being a valid basis for a claim. However, damages for 'loss of control' were and are available in misuse of private information cases, and Mr Lloyd sought to break new legal ground by transposing those same principles relating to loss of control into the DPA 98. Mr Lloyd argued that individuals should be entitled to recover compensation whenever a data controller failed to comply with its obligations under the Act, as long as the breach was not trivial or 'de minimis' – even if there had been no consequences whatsoever.
No damages for loss of control
The Supreme Court held that for individuals to be entitled to compensation for a data breach under S.13 (1) of the DPA 98 they must show that they have suffered material damage (which would include distress). The Supreme Court also confirmed that this material damage or distress must be caused by the data controllers breach.
In reaching the decision, the Supreme Court rejected Mr Lloyd's attempt to reconcile the interpretation of damages in relation to misuse of private information and the meaning of "damage" for the purposes of data protection legislation. In doing so, the Supreme Court thankfully confirmed that damages are not available for mere 'loss of control'.
Low likelihood of class actions in this type of case
The Supreme Court also confirmed that an assessment of damages for a breach of the DPA had to be dealt with on an individual basis because 'distress' is of a subjective nature and levels of material damage will likely vary across a range of claimants. This places complex financial and administrative burdens in the overall assessment of loss, rendering representative actions apparently very challenging indeed, which is more good news for data controllers.
Relevant even under the new Data Protection Act 2018
The claim in Lloyd v Google was brought under theDPA 98, as Lloyd's claimpredated the current data protection framework (the DPA 2018 and GDPR). However, the wording in S.13 of the DPA 18 is identical to that in the DPA 98 and the language under the GDPR also shares similarities with DPA 98 - distinguishing between the infringement which gives rise to the damage, and the damage itself. Therefore, our view is that it's highly likely that a similar approach will be taken for claims brought under the current legal regime.
What does this mean for you?
Data controllers who have been tracking Lloyd v Google and who were concerned about a tidal wave of representative actions and claims for mere breach (without the claimant needing to show distress or other harm) can breathe a sigh of relief for now.
The position remains that to establish a claim for compensation for breaches of UK data protection law, claimants must show that they have suffered financial loss or distress as a result of the breach, and we certainly think that is the right decision. Had Mr Lloyd's case been successful, there would have been far reaching financial implications for businesses (the level of damages advanced by Mr Lloyd was approximately £750 per individual claimant in a class of potentially 4 million people – making the figures at stake eye-watering, and that's before considering other costs and resourcing demands).
There has of course been much commentary about the fact that those who have the most to gain from an 'uptick' in low-value claims like these (where the individual damages sums are in the hundreds to low thousands of pounds) are claimant law firms and litigation funders alike. Whilst the Lloyd v Google decision won't do away with these types of claims or issues, it does in our view set a 'higher bar' for potential Claimants looking to claim damages, which in turn will allow data controllers to be slightly more confident in defending such claims.
In conclusion, the good news is that there are no longer any 'question marks' over whether or not claimants are entitled to damages simply by virtue of there having been a failure to comply with data protection law and, as such, we expect to see data controllers taking a more 'robust' approach to claimants. This is particularly likely to be the case where the breach is relatively minor, and the claimant's evidence of distress is weak or fails to draw a clear or credible link between the 'damage' and the breach.
If you'd like to discuss Lloyd v Google and what it means for you or any of the other issues raised in this article, please do get in touch.