Has the Supreme Court slammed the brakes on data protection claims?

New Legislation
Published: 18th November 2021
Area: Data Protection

Share This

Supreme Court and data protection

Over the last couple of years, we’ve seen a marked increase in the number of claims relating to data protection breaches.  

It’s easy to see why. When the GDPR was introduced a couple of years ago, people became more aware of their data rights than ever. It also used to be the case that a claimant could only seek damages for distress if the data breach also caused them a financial loss. But the court (and, latterly, Parliament) accepted this was prohibitive and introduced a free-standing right to claim for distress, widening the door for possible claimants to pursue damages.  

Lloyd v Google – opening the floodgates

And then came the seminal case of Lloyd v Google, where the Court of Appeal appeared to give the green light to claimants who had suffered neither financial loss nor distress as a result of a data breach. The case was brought by an individual, acting as a “representative” of all individual iPhone users who were affected by a Safari Workaround that was installed by Google on Apple iPhones in 2011-2012. The Workaround allowed Google to essentially profit from tracking the iPhone users’ internet habits and advertising targeted at users based on those habits. Around four million users were affected and the damages bill for Google could have run into the billions.  

At the High Court, Mr Lloyd was refused permission to serve his claim on Google (who are based outside of the jurisdiction). This decision was subsequently overturned by the Court of Appeal, which decided that a “loss of control” over an individual’s data could, of itself, give that individual a right to claim for damages, even if the data breach caused the victim no financial loss or distress. 

Some of the claims we’ve seen since the Court of Appeal decision have, it must be said, been speculative at best. Minor breaches where trivial data has been inadvertently disclosed suddenly attracted claims on the basis that “if there’s been a breach, I have lost control over my data so you’re liable, no matter what”. Inevitably, the Court of Appeal’s decision in Lloyd has been quoted at length to support this type of argument. 

Applying the Brakes

It was therefore with some trepidation that data controllers waited for the Supreme Court’s decision in Lloyd v Google, to see whether it would endorse the Court of Appeal’s view and open the floodgates even further. After around six months of waiting, the judgment was finally delivered w/c 8 November 2021. 

It will give data controllers some relief to hear that the Supreme Court has retreated from the view given by the Court of Appeal. It has expressly stated that section 13 of the Data Protection Act 1998 “cannot reasonably be interpreted as giving an individual a right to compensation without material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject”. So the Supreme Court has clarified the position: under the DPA 1998, a claimant must be able to show that they suffered financial loss and/or distress as a result of a data breach. The simple loss of control of data is not enough on its own.  

Although the decision was made in relation to the DPA 1998, the wording of the DPA 2018 is not significantly different, so it’s likely that the current legislation would be interpreted in the same way. While claimants are not prevented from seeking “loss of control” damages in a tortious claim of Misuse of Private Information (“MPI”), these claims are harder to establish and are unlikely to succeed where the data disclosed is trivial in nature. 

As for the way the claim was brought, the Supreme Court found that an individualised assessment of damages could not be conducted in a representative action. It was up to Mr Lloyd to seek a declaration that Google had breached the DPA 1998 with damages left to be assessed by individualised assessment. He chose not to adopt that two-stage approach. As such, the conditions for bringing a representative action have not been established and Mr Lloyd has been denied permission to serve his claim on Google. As a result, the claim is now over.  

Is this a victory for data controllers?

Overall, the outcome is undoubtedly a victory for data controllers who could potentially face huge representative actions. The brakes on those types of cases have – for now - been applied.  

As for the lower value, “any breach leads to a claim” type of cases that we’ve seen a lot of recently, the Supreme Court decision will now require a claimant to show they have suffered financial loss and/or distress (by which we mean, some sort of mental distress caused by the disclosure of their data). This ought to make it easier for trivial claims to be rejected. It’s unlikely that the threat will evaporate all together, however, with claimants still able to rely on “distress” to claim damages and alternative claims for MPI still being available.  

With further, high profile, data protection cases waiting to be heard, it remains to be seen whether and how claimants will seek alternative ways to pursue data protection and privacy claims and how Lloyd will limit representative claims in the future. Practitioners will be keenly watching this space to see what the long term consequences of the Lloyd v Google decision may be.  

If you have any queries regarding your role as a controller or processor of data or have any concerns about data security and breaches contact Catherine Savage or another member of the litigation team.

Get In Contact

Catherine specialises in academic litigation. She has extensive experience of representing education clients in discrimination claims and judicial review applications.

Education Law

Working with higher and further education institutions, independent providers, academies, and schools, our full-service team can advise on any legal issue that an education institution may have.

Our Thoughts

All the latest thoughts and insights from our team

Family Law Christmas Guide

1 Dec


Family Law Christmas Guide

Read article Right Arrow

India opens up to collaborations and campuses with international universities

30 Nov


India opens up to collaborations and campuses with international universities

The Indian higher education market has finally opened up to non-Indian universities. The snappily-titled, […]

Read article Right Arrow

SHMA® On Demand

All the latest on-demand content

Employment Breakfast: Disciplinary Processes – Getting them right

13 Dec

Nick Jones, Partner - Employment | Cecily Donoghue, Senior Associate - Employment

Employment Breakfast: Disciplinary Processes – Getting them right

Employment Law experts Nick Jones and Cecily Donoghue will guide attendees through an overview […]

Register Right Arrow

Biodiversity Net Gains – new mandatory requirements for developers

30 Nov

Anna Cartledge, Partner | Louise Ingram, Partner

Biodiversity Net Gains – new mandatory requirements for developers

New mandatory requirements (introduced by the Environment Act 2021) will drive the delivery and […]

Watch Right Arrow