Lloyd v Google: The Reality about Mass Data Breach Claims in the UK
On 10 November 2021, the UK Supreme Court held that in order for an individual to claim compensation under the Data Protection Act 1998 (the “DPA 1998”), it was necessary to prove both unlawful use of their personal data and, contrary to earlier authority, that the individual suffered material damage or distress as a result. Loss of control of personal data would not, alone, give rise to a claim in damages.
The case concerns the placement and operation of Google’s “DoubleClick” advertising cookies on Apple iPhones. Richard Lloyd issued a claim against Google, alleging that for months between 2011 and 2012, Google had secretly tracked the internet activity of millions of iPhone users using Apple’s internet browser “Safari” and used the data collected for commercial purposes without users’ knowledge or consent. He claimed that Google had therefore breached its duties as a data controller under section 4(4) of DPA 1998.
Mr Lloyd sought to claim and recover damages on behalf of the millions of people residing in England and Wales who owned an iPhone at the relevant time and had their data collected in this way. Mr Lloyd argued that compensation could be awarded under section 13 of the DPA 1998 for ‘loss of control’ of personal data without the need to prove that the individual concerned suffered financial loss or distress as a result of the breach.
The judgment in this case was given by Lord Leggatt, with whom the other four judges all agreed. The judge found Mr Lloyd’s approach to be incompatible with the wording of section 13 of the DPA 1998 commenting that “[section 13] cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject”. As such it is necessary to demonstrate damage. Loss of control of data without proof of damage is not sufficient to claim damages.
The judge noted that, in theory, the claim could have progressed using a two-stage process: first by Mr Lloyd establishing that there was a claim against Google, then for individual claims to be raised by each of those affected iPhone users. However, this process was not adopted by Mr Lloyd. Ultimately, the Supreme Court held that Mr Lloyd’s claim had “no real prospect of success” and allowed the appeal, ruling in Google’s favour.
The claim in this case was governed by the now repealed DPA 1998, as the events concerned occurred prior to implementation of the DPA 2018 and the UK General Data Protection Regulation (or GDPR). However, the language in the GDPR draws the same distinction between the act giving rise to the damage and the damage itself. This suggests that the decision in Lloyd v Google will set the tone for future damages claims and suggests that the bigger the pool of claimants, the harder it will be to make a case that satisfies the requirements for a successful mass data breach claim in the UK.
Lynn Richmond, Partner, Accredited Specialist in IP and Certified Specialist in Cyber Security, firstname.lastname@example.org / 0131 222 2939
Ibinabo David-West, Trainee Solicitor, email@example.com / 0141 221 8012