11 November, 2021
On 10 November 2021, the Supreme Court delivered its long-awaited judgment in the case of Lloyd v Google. The judgment will be welcomed by our clients and data controllers as it brings clarification to the rapid rise in claims being made for compensation following a data breach. However, whilst the judgment is a victory for Google and will be a relief for data controllers, it is doubtful public opinion will welcome the victory as it demonstrates consumers' struggle for compensation against large multinational companies who they believe exploit personal data for commercial gain.
Mr Lloyd brought a representative action against Google on behalf of more than 4 million iPhone users. Mr Lloyd alleged that between 9 August 2011 and 15 February 2012, Google used a "Safari workaround" to bypass privacy settings on iPhone. Mr Lloyd argued that this workaround allowed Google to harvest browser data from iPhone users without their consent. Mr Lloyd sought £750 on behalf of 4 million iPhone users, making the claim against Google amount to £3Billion. This was on the basis that each iPhone user had lost control of their data and the iPhone users should receive damages as a result.
As the events relating to the Safari workaround occurred between 2011 and 2012, the claim was made under the Data Protection Act 1998 as the GDPR and the Data Protection Act 2018 had not yet come into force.
In reaching its verdict, the Supreme Court decided that:
In bringing the claim, Mr Lloyd argued that a non-trivial breach of any individual's data protection rights gives rise to an entitlement to compensation for "loss of control" of personal data. The Supreme Court held that this approach was inconsistent with the wording of the Data Protection Act 1998. Permitting individuals to be entitled to damages for a mere infringement of their rights under data protection law which causes no material damage nor distress would require an extension to the rights conferred by the Data Protection Act 1998.
The Supreme Court judgment makes it clear that because the acts and omissions giving rise to the claim occurred in 2011 and 2012, the claim is governed by the old law contained in the Data Protection Act 1998 and the decision could not be affected by legislation that has come into force at a later date. Whilst this claim was brought under the old law, the differences between the previous Data Protection Act 1998 and the UK GDPR and Data Protection Act 2018 do not appear to offer significant scope for differentiating any new claims brought under the UK GDPR from the precedent now set by the judgment in Lloyd v Google.
This judgment will be welcomed by data controllers as the financial consequences of a large data breach could have been fatal, if the claim had been successful. The precedent set in this case and the recent approach taken by the lower courts to claims for distress following a data breach, suggest that not all technical infringements of data protection will allow individuals to make a claim for compensation.
Organisations should continue to have in place robust technical and organisational security measures in place to avoid data breaches from occurring in the first instance and ensure data breach procedures are in place which will quickly mitigate and contain any damage caused by the data breach, so that individuals do not suffer any material damage.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here