19 January, 2022
To some observers, civil claims for compensation for often relatively trivial breaches of a person's data, represent the opportunity for some legal firms to replace diminishing whiplash or holiday sickness claims with a new source of work. One potential avenue for claimant firms looking to diversify, however, looks to have been blocked.
On 10 November 2021, the Supreme Court delivered its long-awaited judgment in the case of Lloyd v Google.  UKSC 50
Mr Lloyd brought a representative action against Google on behalf of more than 4 million iPhone users. He alleged that between 9 August 2011 and 15 February 2012, Google used a "Safari workaround" to bypass privacy settings on iPhone. Mr Lloyd argued that this workaround allowed Google to harvest browser data from iPhone users without their consent. He sought £750 for each of 4 million iPhone users, making the claim against Google amount to £3Billion. This was on the basis that each iPhone user had lost control of their data and the iPhone users should receive damages as a result.
As the events relating to the Safari workaround occurred between 2011 and 2012, the claim was made under the Data Protection Act 1998 as the GDPR and the Data Protection Act 2018 had not yet come into force.
In reaching its verdict, the Supreme Court decided that:
In bringing the claim, Mr Lloyd argued that a non-trivial breach of any individual's data protection rights gives rise to an entitlement to compensation for "loss of control" of personal data. The Supreme Court held that this approach was inconsistent with the wording of the Data Protection Act 1998. Permitting individuals to be entitled to damages for a mere infringement of their rights under data protection law which causes no material damage nor distress would require an extension to the rights conferred by the Data Protection Act 1998.
The Supreme Court judgment makes it clear that because the acts and omissions giving rise to the claim occurred in 2011 and 2012, the claim is governed by the old law contained in the Data Protection Act 1998 and the decision could not be affected by legislation that has come into force at a later date. Whilst this claim was brought under the old law, the differences between the previous Data Protection Act 1998 and the UK GDPR and Data Protection Act 2018 do not appear to offer significant scope for differentiating any new claims brought under the UK GDPR from the precedent now set by the judgment in Lloyd v Google.
This judgment will be welcomed by data controllers as the financial consequences of a large data breach could have been fatal, if the claim had been successful. The precedent set in this case and the recent approach taken by the lower courts to claims for distress following a data breach suggest that not all technical infringements of data protection will allow individuals to make a claim for compensation.
Organisations should continue to have in place robust technical and organisational security measures in place to avoid data breaches from occurring in the first instance and ensure data breach procedures are in place which will quickly mitigate and contain any damage caused by the data breach, so that individuals do not suffer any material damage.
Some might see this decision as a victory for Goliath against David; a large multi-national trumping the lowly Mr Lloyd representing the poor consumer. However, the judgment will generally be welcomed by our clients and data controllers as it brings clarification to this expanding area.
I have seen in defending many individual data breach claims for local authorities that it is relatively easy for a claimant to at least allege some distress has resulted from their data being breached or misused, predominantly, in my experience as a result of a simple human error. Distress (without the necessity of a medical report to confirm it) is sufficient to entitle a claimant to damages. Therefore, although Mr Lloyd's defeat may be a major setback for large group type actions we are still likely to see a growth in data breach claims as other previously rich sources of claims become less profitable.
Learn more about our Insurance department here