Supreme Court in Lloyd v Google dismisses data protection class action

The Supreme Court has handed down its much-awaited judgment in the landmark case of Richard Lloyd v Google. To the huge relief of data controllers worldwide – such is the extra-territorial reach of UK data protection laws – the Supreme Court has restored the original decision of the High Court that Mr Lloyd's novel class action against Google cannot proceed. 

Fears that companies that fall victim to cyberattacks would risk being hit with ruinous class action law suits have been abated. 

What was the case about?

Mr Lloyd (backed by a team of lawyers and litigation funders) alleged that between 2011 and 2012, Google contravened the Data Protection Act 1998 (DPA 1998) by tracking the internet activity of iPhone users.

He sought compensation for both himself and an estimated 4.5 million iPhone users, via a mechanism in England and Wales' Civil Procedure Rules – Rule 19.6 – which allows a representative claim to be commenced on behalf of any number of persons, provided they have the "same interest" in the claim. 

To meet the "same interest" requirement, the Lloyd team argued that each affected iPhone user suffered a "loss of control" of their personal data by reason of the alleged breach of the DPA 1998. While the extent of loss of control would differ between each user, damages were sought only on the basis that each user had used the Safari browser on his/her iPhone to access an affected website on a single occasion (the criteria for joining the class). The Lloyd team argued that by claiming the same "lowest common denominator" damages for everyone, each member of the class had the "same interest" in the claim. 

It had been suggested by the Lloyd team that £750 would be an appropriate amount of damages per head. This would have amounted to a total damages bill of over £3 billion. 

When the Court of Appeal sided with the Lloyd team in 2019, this sent shockwaves across the market. Class actions were threatened against companies who had fallen victim of cyberattacks in which the data of many thousands or even millions of data subjects was affected. Damages were claimed on the same basis: each data subject had "lost control" of their personal data. 

What did the Supreme Court decide?

The Supreme Court emphatically rejected the Court of Appeal's reasoning. The key points from the decision are:

• So-called "loss of control" damages cannot be recovered under the DPA 1998. Claimants must prove that they have established material (such as financial) damage and/or distress as a result of any contravention of the act: a contravention in itself does not automatically mean that damages are payable. 
• It is not known whether any of the iPhone users have suffered material damage or distress as a result of the alleged contraventions. But, even if some have, the extent of damage or distress would logically differ between users and, therefore, they would not all have the "same interest" in the claim. This is a bar to any class action under Rule 19.6. 
• Even if the Supreme Court was wrong, and "loss of control" damages can be awarded under the DPA 1998, there were fatal flaws in the Lloyd team's position:
• It would still be necessary to assess each case in order to determine the extent to which each iPhone user had lost control of their personal data. The court would need to consider matters such as the nature and extent of each user's internet use. The users would therefore not have the "same interest".
• The attempt to get around this by only claiming for each user the "damage" said to have been suffered by the "lowest common denominator" was no answer: this damage would be trivial and would not cross the threshold of seriousness required for any compensation to be payable. 

Osborne Clarke comment

This wholesale rejection of the Lloyd team's creative arguments will be a body blow to similar data breach class actions which were on hold pending the Supreme Court's decision, and to other teams of lawyers and funders gearing up to bring new cases if the result went Lloyd's way. 

At the same time, data controllers will breathe a sigh of relief at what feels like a common sense decision.

While the decision related to alleged deliberate contraventions of the DPA 1998, it is applicable to contraventions of the UK General Data Protection Regulation, which is now in force, whether deliberate or inadvertent.

That said, litigation following data breaches is here to stay. While the threat of mass opt-out class actions has been averted, the decision still allows claimants (either on their own or in large groups) to bring claims where they can establish that they have suffered material damage or distress following a breach. But this is often very difficult to prove in cases involving anodyne personal data.

Nevertheless, the worst case scenario for companies that fall victim to cyberattacks now looks a lot less worse thanks to this decision, and so there are reasons to be cheerful. 

Ashley Hurst and Henry Fox published a comment piece on the decision on the Inforrm Blog.