LinkedIn
Burges Salmon on Twitter
The Supreme Court’s recent ruling in Lloyd v Google [2021] UKSC 50 found that individuals will not be able to bring claims for non-pecuniary losses arising from non-compliance with data protection law and must be able to demonstrate the material damage that has been suffered by any breach. The Court’s recent ruling will come as a relief for data controllers, who may have been concerned over the prospect of group litigation being brought against potential misuse of personal data, especially when those organisations may have already been subject to regulatory fines from the ICO. The Supreme Court unanimously found that where representative actions are brought by a class of individuals who have suffered the same data breach, each individual must be able to demonstrate that they have suffered individual damage in order to form part of the claim, putting a stop to the prospect of ‘opt-out’ actions for data protection breaches. Similarly, the Data Protection Act 1998 does not give rise to a non-pecuniary right to compensation for misuse of personal data, and data subjects must be able to demonstrate material loss or damage in order to bring a claim.
Background
Mr Lloyd initially brought a claim in a representative capacity against Google on behalf of over 4 million iPhone users for loss of control of those consumers' personal data. It was alleged that between August 2011 and February 2012, Google had gathered browser-generated personal data through bypassing the block on third party cookies on Apple’s Safari browser (an action that had already resulted in a $22.5 million fine in the US).
The Court of Appeal overturned the High Court’s finding that the ‘class’ of members lacked a sufficient ‘shared interest’ in the claim, arguing that they had all suffered the same non-consensual misuse of data. The Court of Appeal also overturned the High Court’s ruling that no damage had been suffered under section 13 of the (then in force) Data Protection Act 1998. This means that where businesses simply lost control of an individual’s personal data, they may be liable even where the data subject has not suffered any financial loss or distress.
Subsequently, the central questions for the Supreme Court to decide were:
- whether damages for ‘loss of control’ under section 13 of the Data Protection Act 1998 could be granted for non-pecuniary losses; and
- whether the class of members involved shared the ‘same interest’ in the action, and whether the Court should exercise its discretion in allowing the claim to proceed.
Judgment
The Supreme Court unanimously dismissed the £3 billion compensation claim under the grounds that the Claimant had failed to demonstrate “what, if any, wrongful use was made by Google of the personal data of any individual”. The Court confirmed that any compensation for breaches of the Data Protection Act 1998 can only be made where ‘material damage’ has been suffered. The Supreme Court similarly ruled, in relation to the class of representatives, that to bring the group action, each member must have been able to demonstrate that their rights had been breached and that they had suffered material damage as a result.
Implications
The Supreme Court’s judgment puts a stop to concerns from controllers that the floodgates will open to group litigation cases for mishandlings of personal data. The judgment aligns with the position of the Department of Culture, Media and Sport’s consultation earlier this year, which ruled out the possibility of any opt-out procedures for data protection claims. Overall, the threshold of materiality will likely see a reduction in the number of claims from individuals for any mishandling of their personal data, particularly those driven by litigation funders. With the prospect of a wave of opt-out group litigation actions for personal data breaches now firmly dead in the water, individuals whose data has been mishandled will have to demonstrate the loss they have suffered in relation to the breach before contemplating whether any action can be brought. Whilst the judgment itself relates to claims under the Data Protection Act 1998 and not the UK GDPR or Data Protection Act 2018, the difference in the wording between such legislation does not suggest that there would be any difference in the outcome of a case should the Courts be required to rule on the new legislation. The Supreme Court has effectively ensured that representative actions (or the prospect of an ‘opt-out’ system being introduced) will be unlikely to succeed unless each of the members can demonstrate clear and material damage from any non-compliance.
This does not relieve organisations from the significant fines that can be imposed by the ICO for mishandling of personal data, but it does rule out the possibility that controllers will also face class-action claims from data subjects themselves in relation to breaches, which is particularly important given the significant amounts of compensation that may have been payable under such group litigation.
The Court’s recent ruling will come as a relief for data controllers, who may have been concerned over the prospect of group litigation being brought against potential misuse of personal data, especially when those organisations may have already been subject to regulatory fines from the ICO.
