12 November, 2021
The Supreme court have just handed down the long-awaited decision in Lloyd v Google.
Mr Lloyd brought a claim for compensation under section 13 of the DPA 1998 for damage he claimed had been caused by Google unlawfully processing the personal data of Apple iPhone users in breach of the Act.
He brought the claim on behalf of millions of users arguing he was entitled to do so under paragraph 19.6 of the Civil Procedure Rules, who he alleged had the "same interest" in the claim, even though he didn't have details of their individual circumstances. Essentially it was a class action about an opt-out provision in the Google terms. His claim alone was of limited value. A combination of millions of claimants affected by the opt-out clause did however have a substantial value as part of a class action.
He needed permission to serve the claim form outside the jurisdiction. Google objected, arguing damages cannot be awarded under the DPA 1998 without proof a breach had caused an individual to suffer financial damage or distress and that it was an unsuitable representative action.
The High Court agreed with Google. The Court of Appeal reversed that decision. The Supreme Court have now decided the Hight Court was right.
Section 13(1) of the DPA 1998 provides that:
An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
The court concluded that the Claimant (Mr Lloyd) could not prove material damage and distress as a result of the data controllers (Googles) breach. As a result, the court had been right to refuse permission to serve the proceedings outside the jurisdiction.
Section 13 has now been replaced by Art. 82 of the GDPR (General Data Protection Regulations 2018) which provides:
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation
A processor shall be liable for the damage where it has acted outside or contrary to lawful instructions of the controller….unless it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor…. each shall be liable for the entire damage.
It clearly provides a right to recover compensation for a breach of the regulations.
In practical terms, the outcome of Mr Lloyd's case restricts the rights of an individual to claim damages for a trivial breach, where no material damage or loss can be proved. The ICO describes "material damage" as a loss of "money" and "non-material damage" as "distress". A simple loss of control of data is unlikely to warrant an award. This means anyone who has suffered a low-level data breach, which has caused no more than a trivial degree of distress is unlikely to be able to claim, even though there has been a loss of control of their data.
There is nothing in the judgement preventing a claim in tort for the misuse of private information or breach of confidence, where damages can be awarded, if material damage or distress has been caused.
Examples would include claims where sensitive personal data, e.g.) medical records, financial information or other sensitive information has been distributed, disclosed, or sent by mistake, without consent or lawful excuse.
The aim of compensation is to try and place you back in the same position as if the breach had not taken place. The sums awarded under these guidelines include injury to feelings and any consequential financial loss. There is limited case law on the valuation of these claims. The awards can range from a few hundred pounds to £2,000 in less serious cases where the discrimination is a one off incident or isolated in nature. For example, it did not happen in a public place, apologies were made. The nature of the documents disclosed can have bearing on the award, for example medical data is more likely to attract a higher award.
There are examples of case where awards have been up to £10,000 where there has been a lengthy campaign of discrimination and harassment - particularly rude or insensitive language, widespread publication, whether it relates to personal/intimate part of life, depression, or illness is caused because of the act of discrimination.
In very serious cases, aggravated damages can be awarded if there was a motive for the wrongful disclosure or the conduct of the other party during the litigation is unmeritorious or aggressive.
If you have suffered distress because of a data breach you may have a claim for damages, please contact us for no obligation, no win no fee advice.
For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Data Breach Claims department here