Long awaited judgment in Lloyd v Google
The long awaited Judgment from the Supreme Court in Lloyd v Google LLC  UKSC was given earlier this week.
For those who are not familiar with this claim, the litigation arose in relation to Google’s use of the “Safari Workaround” which allowed Google to bypass protections on Apple’s Safari and process the personal data of allegedly up to four million Apple users in breach of the Data Protection Act 1998 (DPA 1998) between August 2011 and February 2012.
Mr Lloyd, with the backing of a litigation funder, issued a representative claim for damages under section 13 of the DPA 1998 resulting from the “loss of autonomy” or “control” over the personal data from the Safari Workaround. A representative claim essentially means that a claim is brought by one (or more) people, who have the same interest in the claim (unless they have opted out), and therefore, does not require the involvement (active or otherwise) of the whole class. This is different to a Group Litigation Order which requires the members of the class to opt in and therefore be more involved. The uptake for Group Litigation Order classes is much lower as a result.
Mr Lloyd argued that the same figure could be awarded to each class member, without needing to prove any facts that were particular to them, on the basis that compensation could be awarded under the DPA 1998 for the loss of control of the personal data. He suggested that each class member would be entitled to around £750 each, and, whilst this figure is not significant in itself, it becomes significant when, due to the number of those in the class, the total damages could be in the region of £3billion.
Google successfully resisted the claim in the High Court, but this was overturned in the Court of Appeal, where the judges were prepared to consider the idea that each member of the class could be awarded the same amount on a uniform basis.
The Supreme Court unanimously rejected Mr Lloyd’s assertions. Lord Leggatt noted that the wording of section 13 of the DPA 1998 must be interpreted as requiring proof of “material damage” occurring by “result of the breach”. This therefore means that claims under section 13 will require proof of distress or financial loss resulting from the breach, and not relying simply on the fact that there has been a breach.
In respect of the claim itself, the Supreme Court found that as in most cases there would need to be an individual assessment of the losses suffered, bringing a claim by way of representative action (as Mr Lloyd had done), was not the appropriate method as it did not require the involvement of the individual class members. The Supreme Court noted that a claim for a representative action may only be brought if damages can be calculated on a common basis for all members of the class. As such, where the material damage to individuals has scope to vary from case to case, for example, based on the time spent using safari and the volume of data, the individuals of the class in question could not be said to satisfy the requirements for this type of claim.
The result is that whilst a representative action could be used to establish liability for a data breach, it is not appropriate to assess damages and therefore group litigation or individual claims would also be needed to deal with damages.
It is worth noting that the case here concerned conduct carried out in the period between 2011 and 2012 and was therefore governed by the DPA 1998. The Data Protection Act 2018 (DPA 2018) has replaced this, and therefore the precedential value of this decision could be limited. However, this case provides some helpful reassurance not only to Google (who have avoided some £3 billion in damages), but to all other data controllers potentially facing large group claims for breach of the data protection legislation as the appetite to pursue claims of this nature by large claims management firms, is likely to be somewhat diminished.
If you have any questions relating to any of the above, please do not hesitate to contact Emma Loveday-Hill, a Senior Associate in our Data Protection team on 01473 298266 or firstname.lastname@example.org.