Lloyd v Google and the Impact on Data Breach Claims

Together we are Forbes

Governance, Procurement & Information Article

11 November, 2021

On 10 November 2021, the Supreme Court delivered its long-awaited judgment in the case of Lloyd v Google. The judgment will be welcomed by our clients and data controllers as it brings clarification to the rapid rise in claims being made for compensation following a data breach. However, whilst the judgment is a victory for Google and will be a relief for data controllers, it is doubtful public opinion will welcome the victory as it demonstrates consumers' struggle for compensation against large multinational companies who they believe exploit personal data for commercial gain.

Background

Mr Lloyd brought a representative action against Google on behalf of more than 4 million iPhone users. Mr Lloyd alleged that between 9 August 2011 and 15 February 2012, Google used a "Safari workaround" to bypass privacy settings on iPhone. Mr Lloyd argued that this workaround allowed Google to harvest browser data from iPhone users without their consent. Mr Lloyd sought £750 on behalf of 4 million iPhone users, making the claim against Google amount to £3Billion. This was on the basis that each iPhone user had lost control of their data and the iPhone users should receive damages as a result.

As the events relating to the Safari workaround occurred between 2011 and 2012, the claim was made under the Data Protection Act 1998 as the GDPR and the Data Protection Act 2018 had not yet come into force.

Supreme Court's Decision

In reaching its verdict, the Supreme Court decided that:

  1. Individuals will not have a right to compensation for any contravention by a data controller of any of the requirements of the Data Protection Act 1998 unless it can prove that the contravention has caused material damage (i.e. mental distress or financial loss) to the individual concerned; and
  2. The representative action was impermissible in principle and was doomed to fail. In order to advance a representative action on behalf of each of the 4 million iPhone users, Mr Lloyd had to show that each of those individuals had both suffered a breach of their rights and suffered damage as a result of that breach.

Damages for Loss of Control

In bringing the claim, Mr Lloyd argued that a non-trivial breach of any individual's data protection rights gives rise to an entitlement to compensation for "loss of control" of personal data. The Supreme Court held that this approach was inconsistent with the wording of the Data Protection Act 1998. Permitting individuals to be entitled to damages for a mere infringement of their rights under data protection law which causes no material damage nor distress would require an extension to the rights conferred by the Data Protection Act 1998.

Claims Made Under UK GDPR and Data Protection Act 2018

The Supreme Court judgment makes it clear that because the acts and omissions giving rise to the claim occurred in 2011 and 2012, the claim is governed by the old law contained in the Data Protection Act 1998 and the decision could not be affected by legislation that has come into force at a later date. Whilst this claim was brought under the old law, the differences between the previous Data Protection Act 1998 and the UK GDPR and Data Protection Act 2018 do not appear to offer significant scope for differentiating any new claims brought under the UK GDPR from the precedent now set by the judgment in Lloyd v Google.

What Does This Mean for Data Controllers?

This judgment will be welcomed by data controllers as the financial consequences of a large data breach could have been fatal, if the claim had been successful. The precedent set in this case and the recent approach taken by the lower courts to claims for distress following a data breach, suggest that not all technical infringements of data protection will allow individuals to make a claim for compensation.

Organisations should continue to have in place robust technical and organisational security measures in place to avoid data breaches from occurring in the first instance and ensure data breach procedures are in place which will quickly mitigate and contain any damage caused by the data breach, so that individuals do not suffer any material damage.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

ICO Issues Enforcement Notice for SAR Submitted During Employment…

ICO Issues Fine for Failure to Comply with Privacy Rules

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 0831

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed