Data controllers will welcome the news that the Supreme Court has unanimously decided not to allow a representative action sought against Google LLC (Google) to proceed. In its much anticipated judgment, the Supreme Court provides guidance on the meaning of damage under data protection legislation and the suitability of representative actions for claims for compensation, which will significantly alter the data claims landscape.

Case summary

The named claimant, Richard Lloyd, is a consumer rights activist. The allegation at the centre of the claim is that Google breached the statutory duty under section 4(4) of the Data Protection Act 1998 (DPA 1998) by using the so-called 'Safari Workaround' to secretly track, collate and sell information about the internet activity of Apple iPhone users without their consent. 

Mr Lloyd sought to claim compensation from Google on behalf of all of the affected iPhone users (estimated to be around 4 million). He suggested that damages be awarded on the basis that each member of the class be given an equal amount of money to compensate them for the loss of control of their personal data. No specific figure was claimed, but in the letter of claim a sum of £750 per person was suggested, which, if successful, would have resulted in a £3 billion damages award against Google.

For a full detail of the claim history and decisions of the High Court and Court of Appeal, see our earlier article: The increase of data privacy group litigation – Lloyd v Google LLC

Supreme Court decision

Google appealed the Court of Appeal's decision and the following three issues were raised before the Supreme Court:

  • Issue 1: Does loss of control of personal data constitute damage within the meaning of section 13 of the DPA 1998?
  • Issue 2: Is the 'same interest' test satisfied – i.e. do all 4 million iPhone users have the same interest in the claim?
  • Issue 3: If the same interest test is not met, should the Court allow the representative action to proceed by exercising its discretionary powers?

After hearing submissions from Counsel for Mr Lloyd, Google and the Information Commissioner on the issues, and considering extensive past authority on representative actions and the nature and purpose of damages, the Supreme Court concluded that the representative action sought by Mr Lloyd had no prospect of success and should not be allowed to proceed.

The key points from the judgment are:

  • Damages for loss of control
    • The proper interpretation of damage under section 13 of the DPA 1998 is pecuniary loss or mental distress
    • A claimant cannot seek compensation for a breach of data protection law without having suffered damage
    • This means that a claimant cannot seek compensation for 'loss of control' only.
  • Representative action
    • The scope for claiming compensation for a group of individuals in a representative action is restricted by the rules around the nature and purpose of damages as a remedy
    • The purpose of damages for a civil wrong are to put "the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred"
    • For an award of damages, there has to be an "individualised assessment" of the impact on the claimants of the alleged breach. This could not be achieved by an 'opt-out' representative action, where the individual claimants would not participate in the proceedings
    • The Court held that it might have been possible to conduct a representative action on the facts of the case had the claimants sought an alternative remedy such as declaratory relief, and adopting a different approach, but, a representative action seeking damages was not viable.

What does this mean for data controllers?

This decision provides that claimants coming forward to claim damages for breaches of data protection law must be able to show that they have suffered material loss as a result of the alleged breach, and emphasises the need for claimants to provide an individualised assessment of how they have been affected by the breach. Data controllers will no doubt welcome the confirmation that it is not possible to claim damages for loss of control of personal data only. 

We anticipate that the Supreme Court's decision will reduce appetite among claimants and claimant law firms to pursue claims where there is minimal evidence of harm as a result of data breaches, particularly given recent case law around appropriate allocation and costs spend for low level data breaches (see our recent analysis of Warren v DSG Retail Limited [20001] EWHC 2168 (QB) and Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)). It is also doubtful whether other potential representative actions for data breaches which had been on hold pending the Supreme Court's decision will proceed in light of the guidance from the Court that representative actions are not suited to claims for damages.

At Womble Bond Dickinson our international team of data privacy lawyers have significant experience of strategically defending and pursuing data privacy claims, as well as advising clients on the UK's data protection regime and transatlantic privacy issues. If you have any questions, please get in touch with a member of the data privacy team.