A detailed review of Lloyd v Google: what does it mean and what next for claims management companies?

The Supreme Court handed down judgment in Lloyd v Google LLC [2021] UKSC 50 on 10 November 2021. This is a seminal decision which provides that damages for alleged data breaches cannot be claimed without proving actual financial loss or distress. The Court also set out the evidence needed to assess compensation where damage had been suffered.

Please click here to see our earlier summary blog on this judgment.

This judgment comes hot on the heels of a number of other recent decisions that have favoured data controllers.

However, despite the initial sigh of relief for data controllers following a very welcome judgement keeps the floodgates closed, it may well lead to greater creativity by claims management firms to bring claims, leading to new (and costly) arguments being made.

The facts

Richard Lloyd, a former executive director of the UK Consumers' Association, Which?, sought to bring a representative claim against Google on behalf of over 4 million individuals. His claim was for damages for users of iPhones between 2011 and 2012 where Google bypassed privacy settings (on the Safari browser) to track internet usage and collect data from individuals without their consent. The data was used for commercial gain by Google.

At first instance, the Court prevented the claim from continuing on the basis that the pleaded claim did not give rise to a claim for damages under the Data Protection Act 1998 and that the claim should not therefore continue as a representative action.

Mr Lloyd appealed, arguing that no such assessment was necessary because there was a loss of control of their personal data, for which they should all be entitled to a "uniform sum". Mr Lloyd sought the sum of £750 per person. The Court of Appeal agreed holding that, subject to a de minimis threshold, a claimant is entitled to damages for loss of control of personal without having to prove actual loss. Google therefore appealed to the Supreme Court.

The issues

The Supreme Court was asked the following questions on appeal:

1. Are damages recoverable for loss of control of personal data under Section 13 of the Data Protection Act 1998 ("the DPA 1998") even if there is no pecuniary loss or distress?
2. Could Mr Lloyd bring a representative claim in circumstances where it was not clear that all 4 million iPhone users affected had the "same interest"?
3. If so, should the Court exercise its discretion and disallow the representative action to proceed?

The final two issues relate to class actions, which are not the focus of this analysis. However, these claims can have a devastating impact on a business. In short, the Supreme Court held that that allowing a representative claim may well be appropriate if the "same interest" test was satisfied but only if damages can be calculated similarly for all claimants. The purpose of damages was to put the claimant(s) in the same position as if the wrong had not occurred.

Because of the way the claim was framed by Mr Lloyd (i.e. suggesting that all iPhone users received a uniform level of damages), evidence about how each person was affected by Google's actions would be necessary. This evidence was not before the Court as not all of the claimants participated in the action (it is therefore referred to as an "opt-out" action).

The decision

The Court unanimously rejected the notion that damages would be available for a mere "loss of control" of someone's personal data. It held that under the Data Protection Act 1998 there was no automatic right to compensation simply because there has been a breach - i.e. the loss must be distinct from and have been caused by the breach, and there must be material damage or distress.

In any event, to determine the extent of any damages, the Court would need to undertake an assessment having considered a) the time period in question; b) the quantity of the data involved; and c) nature of the data. Without this evidence, there was no right to compensation as the Court could only conclude that trivial damage occurred.

Often claims of this nature are also pitched as claims for "misuse of private information", however the Court determined that these claims were not aligned as personal data is not always private in nature. This poses a further hurdle for claimants and claims management companies who often plead multiple causes of action in the hope one will stick, entitling them to damages and costs.

Another helpful decision on this issue was made earlier this year by the High Court in Warren v DSG Retail Ltd [2021] EWHC 2168 QB. We reported on this case in our earlier blog.

What does this mean for data controllers?

Although the judgment relates to the DPA 1998, which has now been superseded by the Data Protection Act 2018 and the General Data Protection Regulation ("GDPR"), it is understood that the same principles will apply to cases brought under the current legislation. However, the Supreme Court's decision did not resolve this point directly. Lord Leggatt stated expressly that the current legislation was not taken into consideration, leaving room for argument by imaginative claims management firms.

Furthermore, as claimants will now be required to obtain medical evidence of distress, reports from experts will likely be sought. This will only increase costs and potentially result in a more aggressive approach being taken to settlement.

In addition, the Court stated that class actions could be pursued to determine liability before determining the value of damages, albeit this model is unlikely to be attractive for claims firms and may therefore serve as a deterrent to claims of this nature.

Overall, it is hoped that, when taken with the recent string of Court decisions in favour of data controllers (such as Rolfe v VWV [2021] EWHC 2809 (QB)), businesses and organisations will be in a stronger position to reject spurious claims where there has patently been no loss or distress caused, or the incident was a one-off, accidental data breach.