Commercial Law Specialists
Registered office: 1 The Briars, Waterberry Drive, Waterlooville, England, PO7 7YH
LLOYD V GOOGLE: Implications of the UK Supreme Court Closing the Door on Lloyd (Respondent) £3.3 BN Claim.
Author : Neil Page

The Lloyd v Google case is a significant judgment in the emerging English data litigation landscape. It established that claimants can only obtain compensation for breaches of their statutory data privacy rights if they can evidence material damage or distress, and loss of control of personal data alone is not sufficient. The case had implications for other class action-style claims against companies accused of breaching data privacy law, and the focus on claims where actual damage has been suffered is the right outcome for all businesses, not just big Tech.

In the case, Richard Lloyd filed a representative action on behalf of a number of claimants alleging that Google had breached its duties as a data controller under the DPA 1998 to over 4 million Apple iPhone users during some months in 2011 to 2012, by tracking their internet activity using the so-called Safari Workaround. The Safari Workaround allowed Google to identify visits by a relevant device to any website displaying an advertisement in its advertising network, and to collect considerable amounts of information. Among other things, it is alleged that the Safari Workaround allowed Google to determine how long a user spent on each relevant website and what advertisements were viewed, and to direct advertising to the user tailored to their interests.

The key aspects that make Lloyd a significant judgment are, first, Mr. Lloyd's argument that the DPA 1998 supported compensation for loss of control over data subjects' personal information without the need for the data subjects themselves to identify any specific financial loss or evidence that they had suffered material damage or distress. Second, the case required the Supreme Court to reach a view on whether a representative action under Rule 19.6 of the Civil Procedure Rules could proceed on the basis that the 4.6 million members of the class had the "same interest" in the claim and were identifiable.

The Supreme Court ruled that loss of control under section 13 of the DPA 1998 requires that, for compensation to be awarded, the claimant must suffer "damage by reason of any contravention," and "damage" is to be interpreted as material damage or distress. The Court also ruled that where damages are claimed in a representative action, they must be calculable on a basis that is common to all persons represented, or the representative actions may be brought in two stages.

The Lloyd v Google case is a landmark judgment that has had an impact on liability for loss of control over data. It established that the interpretation of "damage" for the purposes of section 13 of the DPA 1998 encompasses a range of material and non-material damage, including any damage suffered as a result of contravention by a data controller of any of the requirements of the DPA 1998. The case had implications for other class action-style claims against companies accused of breaching data privacy law, and its focus on claims where actual damage has been suffered is likely to be the right outcome for all businesses, not just big Tech.

The Supreme Court's judgment in Lloyd v Google clarified that compensation for breaches of statutory data privacy rights under section 13 of the Data Protection Act 1998 (DPA 1998) can only be awarded if the claimant can demonstrate material damage or distress. The Court rejected the argument that compensation could be awarded for loss of control alone, without any pecuniary or other material loss suffered by the claimant. The Court also confirmed that claims for damages for misuse of private information are different from claims under section 13 of the DPA 1998, and that user damages may be available in the former but not the latter. Finally, the Court rejected the use of representative actions for damages claims that require an individualized assessment of harm, but left the door open to such actions where damages can be calculated on a basis common to all members of a class.

The recent Lloyd v Google case in the UK has clarified the legal position on collective actions and data protection claims. The case concerned allegations that Google had unlawfully collected data on millions of iPhone users, without their consent, in breach of the Data Protection Act 1998. The claimant, Richard Lloyd, sought to bring a representative action on behalf of all affected users, seeking compensation for the breach.

The Supreme Court's judgment has important implications for collective actions in the UK, particularly in the context of data protection claims. The Court confirmed that representative actions can be a powerful tool for pursuing claims, but only where certain conditions are met. For example, all members of the represented class must have the "same interest" in the claim, and there should be no true conflict of interest between them. In addition, where damages claims necessitate an individualised assessment of harm, the representative action may not be appropriate.

The Supreme Court also acknowledged the prospect of representative actions being brought as part of a bifurcated two-stage process. The first stage would be to assess liability, with a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to compensation. The second stage would then be to assess compensation in individual claims on the basis of the specific facts in each case.

Overall, the Lloyd case clarifies the legal position on collective actions in the UK and paves the way for further claims to be brought in the future. The decision will be of interest to lawyers and litigants in the UK and beyond, particularly in the context of data protection and other mass harm claims.

The Supreme Court judgment in Lloyd v. Google requires claimants to demonstrate material loss or distress to bring a claim under section 13 of the DPA 1998, which was interpreted by reference to Article 23 of the EU Data Protection Directive. However, the UK GDPR and DPA 2018 supersede the DPA 1998, and it remains to be seen how courts will apply Lloyd to future claims brought under the current statutory regime. The right to claim compensation under Article 82 of the UK GDPR and sections 168 and 169 of the DPA 2018 is broadly the same as under section 13 of the DPA 1998, but with clarificatory updates. However, the Supreme Court's interpretation of "damage" relied on the specific construction of section 13 of the DPA 1998 without reference to legislation subsequently enacted. Despite some outstanding issues, the judgment brings the position on data litigation in England and Wales closer to the position in other European jurisdictions, where the courts have habitually required evidence of material damage or distress/emotional harm when awarding compensation for breaches of data protection rights or unlawful data processing under the GDPR. Claims from individuals for compensation for breach of their data rights are expected to continue to pose a serious threat to businesses, with compensation available for financial and non-financial loss in connection with data misuse, including distress. It will also be important to determine how (if at all) the decision affects the way in which the ICO operates following data breaches going forward.