18 February, 2022
The hugely anticipated landmark decision in Lloyd v Google has finally been handed down by the Supreme Court, which has refused Richard Lloyd (the claimant) permission to serve a representative action on Google (the defendant), estimated to be valued in the region of 3 Billion.
In this case a large number of claimants had their browser generated information taken without their consent. A class action was brought arguing that they were all victims of the same alleged wrong and had all sustained the exact same loss. The claimant, Richard Lloyd sought to bring a US-style 'opt-out' class action against Google in the English courts, relying on the representative claims procedure set out in Civil Procedure Rule (CPR) 19.6. He sought to bring his claim on behalf of around 4 million people, seeking a set amount of damages for each claimant, without them having to 'opt in' or prove damage for each individual, which he argued would significantly reduce the complexities and cost of the claims.
In October 2018, the High Court refused permission for this, finding that Lloyd's claim failed to identify a basis for the members of the represented class to claim compensation under the DPA, holding that the claims had no prospects of success as there had been no proven pecuniary loss or distress. The claimant was not therefore permitted to continue as a representative class action.
Lloyd appealed, and on 2 October 2019 the Court of Appeal allowed the appeal, holding that damages can in fact be awarded for loss of control of data under section 13 of the Data Protection Act 1998, even when there had been no pecuniary loss or distress.
The Supreme Court held that damages for the loss of control element of the breach, brought under S.13 of The Data Protection Act 1998, could not be awarded unless there was some actual proof by each individual claimant that the breach had caused them material financial damage or distress. It decided that it was not appropriate for the claimant to pursue the claims using the representative procedure under CPR 19.6, as an individual assessment of damages would be required on a claimant-by-claimant basis, thus taking it outside the scope of CPR 19.6.
The claimant argued that each claimant should be awarded the lowest common denominator of damages, i.e. £750.00 each. The court rejected this argument on the basis that if those damages were permitted, the individual claimant's pleadings would not even pass the minimum threshold.
Whilst the judgment is damning to Claimants bringing class actions against organisations, it does not necessarily mean that all data protection breaches for group actions will fail. It should be noted that the claim in Lloyd v Google was brought under old legislation set out in DPA 1998, which is now obsolete, having been replaced by DPA 2018 /GDPR. The Court did not specifically rule on whether the claims would stand under the new legislation, in particular, Article 82 of the GDPR, which permits compensation for non-material damage. The door remains slightly open as to whether an 'opt-out' group claim could still succeed under the new DPA 2018 /GDPR legislation.
The Supreme Court suggested that Lloyd's claim should now be pursued using a two tier approach:
Although we don't deal with class actions here at Forbes Solicitors, the emerging case law shows that the courts are still willing to award compensation for the loss of control of data of an individual, where it can be shown to have caused them material financial damage or distress. Many cases will fall into the small claims jurisdiction where legal costs are not generally recoverable, making them uneconomical to run.
If however your personal and sensitive data and information has been incorrectly sent out by an organisation to the wrong address, either by e-mail or post, you may have claim for damages.
For more information contact Lisa Atkinson in our Data Breach Claims department via email or phone on 01254 222448. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Data Breach Claims department here