Supreme Court and data protection
Over the last couple of years, we’ve seen a marked increase in the number of claims relating to data protection breaches.
It’s easy to see why. When the GDPR was introduced a couple of years ago, people became more aware of their data rights than ever. It also used to be the case that a claimant could only seek damages for distress if the data breach also caused them a financial loss. But the court (and, latterly, Parliament) accepted this was prohibitive and introduced a free-standing right to claim for distress, widening the door for possible claimants to pursue damages.
Lloyd v Google – opening the floodgates
And then came the seminal case of Lloyd v Google, where the Court of Appeal appeared to give the green light to claimants who had suffered neither financial loss nor distress as a result of a data breach. The case was brought by an individual, acting as a “representative” of all individual iPhone users who were affected by a Safari Workaround that was installed by Google on Apple iPhones in 2011-2012. The Workaround allowed Google to essentially profit from tracking the iPhone users’ internet habits and advertising targeted at users based on those habits. Around four million users were affected and the damages bill for Google could have run into the billions.
At the High Court, Mr Lloyd was refused permission to serve his claim on Google (who are based outside of the jurisdiction). This decision was subsequently overturned by the Court of Appeal, which decided that a “loss of control” over an individual’s data could, of itself, give that individual a right to claim for damages, even if the data breach caused the victim no financial loss or distress.
Some of the claims we’ve seen since the Court of Appeal decision have, it must be said, been speculative at best. Minor breaches where trivial data has been inadvertently disclosed suddenly attracted claims on the basis that “if there’s been a breach, I have lost control over my data so you’re liable, no matter what”. Inevitably, the Court of Appeal’s decision in Lloyd has been quoted at length to support this type of argument.
Applying the Brakes
It was therefore with some trepidation that data controllers waited for the Supreme Court’s decision in Lloyd v Google, to see whether it would endorse the Court of Appeal’s view and open the floodgates even further. After around six months of waiting, the judgment was finally delivered w/c 8 November 2021.
It will give data controllers some relief to hear that the Supreme Court has retreated from the view given by the Court of Appeal. It has expressly stated that section 13 of the Data Protection Act 1998 “cannot reasonably be interpreted as giving an individual a right to compensation without material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject”. So the Supreme Court has clarified the position: under the DPA 1998, a claimant must be able to show that they suffered financial loss and/or distress as a result of a data breach. The simple loss of control of data is not enough on its own.
Although the decision was made in relation to the DPA 1998, the wording of the DPA 2018 is not significantly different, so it’s likely that the current legislation would be interpreted in the same way. While claimants are not prevented from seeking “loss of control” damages in a tortious claim of Misuse of Private Information (“MPI”), these claims are harder to establish and are unlikely to succeed where the data disclosed is trivial in nature.
As for the way the claim was brought, the Supreme Court found that an individualised assessment of damages could not be conducted in a representative action. It was up to Mr Lloyd to seek a declaration that Google had breached the DPA 1998 with damages left to be assessed by individualised assessment. He chose not to adopt that two-stage approach. As such, the conditions for bringing a representative action have not been established and Mr Lloyd has been denied permission to serve his claim on Google. As a result, the claim is now over.
Is this a victory for data controllers?
Overall, the outcome is undoubtedly a victory for data controllers who could potentially face huge representative actions. The brakes on those types of cases have – for now - been applied.
As for the lower value, “any breach leads to a claim” type of cases that we’ve seen a lot of recently, the Supreme Court decision will now require a claimant to show they have suffered financial loss and/or distress (by which we mean, some sort of mental distress caused by the disclosure of their data). This ought to make it easier for trivial claims to be rejected. It’s unlikely that the threat will evaporate all together, however, with claimants still able to rely on “distress” to claim damages and alternative claims for MPI still being available.
With further, high profile, data protection cases waiting to be heard, it remains to be seen whether and how claimants will seek alternative ways to pursue data protection and privacy claims and how Lloyd will limit representative claims in the future. Practitioners will be keenly watching this space to see what the long term consequences of the Lloyd v Google decision may be.
If you have any queries regarding your role as a controller or processor of data or have any concerns about data security and breaches contact Catherine Savage or another member of the litigation team.
Get In Contact
Catherine specialises in academic litigation. She has extensive experience of representing education clients in discrimination claims and judicial review applications.