LLOYD v GOOGLE: The Big Ones Get Away?

John Myles
John Myles

Published: January 19th, 2022

6 min

To some observers, civil claims for compensation for often relatively trivial breaches of a person's data, represent the opportunity for some legal firms to replace diminishing whiplash or holiday sickness claims with a new source of work. One potential avenue for claimant firms looking to diversify, however, looks to have been blocked.

On 10 November 2021, the Supreme Court delivered its long-awaited judgment in the case of Lloyd v Google. [2021] UKSC 50


Mr Lloyd brought a representative action against Google on behalf of more than 4 million iPhone users. He alleged that between 9 August 2011 and 15 February 2012, Google used a "Safari workaround" to bypass privacy settings on iPhone. Mr Lloyd argued that this workaround allowed Google to harvest browser data from iPhone users without their consent. He sought £750 for each of 4 million iPhone users, making the claim against Google amount to £3Billion. This was on the basis that each iPhone user had lost control of their data and the iPhone users should receive damages as a result.

As the events relating to the Safari workaround occurred between 2011 and 2012, the claim was made under the Data Protection Act 1998 as the GDPR and the Data Protection Act 2018 had not yet come into force.

Supreme Court's Decision

In reaching its verdict, the Supreme Court decided that:

  1. Individuals will not have a right to compensation for any contravention by a data controller of any of the requirements of the Data Protection Act 1998 unless it can prove that the contravention has caused material damage (i.e. mental distress or financial loss) to the individual concerned; and

  2. The representative action was impermissible in principle and was doomed to fail. In order to advance a representative action on behalf of each of the 4 million iPhone users, Mr Lloyd had to show that each of those individuals had both suffered a breach of their rights and suffered damage as a result of that breach.

Damages for Loss of Control

In bringing the claim, Mr Lloyd argued that a non-trivial breach of any individual's data protection rights gives rise to an entitlement to compensation for "loss of control" of personal data. The Supreme Court held that this approach was inconsistent with the wording of the Data Protection Act 1998. Permitting individuals to be entitled to damages for a mere infringement of their rights under data protection law which causes no material damage nor distress would require an extension to the rights conferred by the Data Protection Act 1998.

Claims Made Under UK GDPR and Data Protection Act 2018

The Supreme Court judgment makes it clear that because the acts and omissions giving rise to the claim occurred in 2011 and 2012, the claim is governed by the old law contained in the Data Protection Act 1998 and the decision could not be affected by legislation that has come into force at a later date. Whilst this claim was brought under the old law, the differences between the previous Data Protection Act 1998 and the UK GDPR and Data Protection Act 2018 do not appear to offer significant scope for differentiating any new claims brought under the UK GDPR from the precedent now set by the judgment in Lloyd v Google.

What Does This Mean for Data Controllers?

This judgment will be welcomed by data controllers as the financial consequences of a large data breach could have been fatal, if the claim had been successful. The precedent set in this case and the recent approach taken by the lower courts to claims for distress following a data breach suggest that not all technical infringements of data protection will allow individuals to make a claim for compensation.

Forbes Comment

Organisations should continue to have in place robust technical and organisational security measures in place to avoid data breaches from occurring in the first instance and ensure data breach procedures are in place which will quickly mitigate and contain any damage caused by the data breach, so that individuals do not suffer any material damage.

Some might see this decision as a victory for Goliath against David; a large multi-national trumping the lowly Mr Lloyd representing the poor consumer. However, the judgment will generally be welcomed by our clients and data controllers as it brings clarification to this expanding area.

I have seen in defending many individual data breach claims for local authorities that it is relatively easy for a claimant to at least allege some distress has resulted from their data being breached or misused, predominantly, in my experience as a result of a simple human error. Distress (without the necessity of a medical report to confirm it) is sufficient to entitle a claimant to damages. Therefore, although Mr Lloyd's defeat may be a major setback for large group type actions we are still likely to see a growth in data breach claims as other previously rich sources of claims become less profitable.

For further information please contact John Myles

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.