Lloyd VS Google Ruling

14th December 2021UK Supreme Court

Last month (November 2021), the UK Supreme Court ruled in a representative/class-action claim in Google’s favour. This was because there could be no compensation for alleged data protection breaches without proof of harm or damage caused.

The UK Supreme Court ruled out using this specific class-action claim as the compensation was being claimed for each member of the represented class without showing any evidence of harm. The Representative, Mr Lloyd, did not demonstrate any wrongful use of the personal data relating to the individuals or any evidence that showed individuals had or were suffering any material damage or stress because of the breach.

Background information

In 2018 Mr Lloyd commenced legal action against Google when Lloyd stated that as a Data Controller, Google had breached its responsibilities to several million Apple iPhone users over a two year period in 2011-2012. It was alleged that Google had harvested browser data from iPhone users without their consent, and this was a breach under the UK Data Protection Act 1998 (DPA 1998), which was the data protection law in place at the time. The DPA 1998 was replaced in 2018 by the Data Protection Act 2018 (DPA 2018).

Mr Lloyd sued not only on his behalf but also as a representative for residents in England and Wales, who had their data collected and had the same interest in the claim. It is important to note that this ‘representative’ procedure is well-established and has existed for many years and differs from the other class-action procedures under competition law.

Mr Lloyd, backed by a litigation funder, was claiming £750 per person whose data protection rights had been violated; he argued that compensation could be awarded under the DPA 1998 for so-called “loss of control”. The total amount of compensation claimed was in the region of £3 billion.

After many appeals with decisions swinging in different directions, the case arrived at the Supreme Court. Part of the challenge in this matter was that Google is a corporation established outside of the UK, meaning Mr Lloyd needed to apply for permission to serve the claim outside of the jurisdiction; this was initially refused by the High Court but allowed by the Court of Appeal which Google appealed and hence its arrival at the Supreme Court.

Google at all stages opposed the application because when Mr Lloyd was claiming compensation under the DPA 1998, he didn’t disclose any evidence to support it. They contested that the courts should not permit the claim to continue as a ‘representative’ action. The High Court ruled in Google’s favour and refused permission to serve the proceedings on Google. However, this was then reversed by The Court of Appeal, which led to Google taking the case to the Supreme Court.

The Supreme Court’s decision

The Supreme Court ruled in Google’s favour due to the ‘representative’ claim approach. They noted that the claim would not have been economical if it were necessary to prove the individual loss or damage of everyone affected by the data breach. Mr Lloyd argued that a sum of damages could be awarded to each member without showing any evidence for each individual.

These arguments were rejected by the court, as firstly the claim was only based on section 13 of the DPA 1998, “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. The court stated that their interpretation of ‘damage’ means material damage such as financial loss or mental distress from the unlawful processing of personal data.

The second reason the court rejected Mr Lloyd’s argument is that to gain the compensation, you need to prove the unlawful processing of personal data relating to an individual.

The Supreme Court then restored the original order made by the High Court, which was refusing Mr Lloyd’s application for permission to serve the proceedings on Google outside the jurisdiction of the courts of England and Wales.

What should you take away from this?

Jonathan Armstrong of Cordery Compliance, legal counsel and specialist in data protection matters, advises clients to take any claims for compensation or damages very seriously. Jonathan comments that these claims could start with a formal ‘letter before action’, an informal claim letter or a Subject Access Request under UK GDPR. You must always treat claims very seriously, no matter how big or small (even those asking for £750 for alleged cookie breaches).

To ensure that you do not find yourself and your business with a compensation claim, you should do the following:

  • Make your employees aware that compensation claims are not only when malicious external activity such as hacking has happened, but it can be when your employees have been careless, for example, losing computer hardware.
  • Carry out regular compliance audits and reviews to prevent any issues involving a compensation claim.
  • In vendor agreements, check the liability provisions and revise them where needed. If your organisation is a joint controller with another organisation, clearly set out all the responsibilities in the agreement.
  • Check your insurance policies. These should be reviewed to check that they provide the necessary cover for the full range of potential civil claims under the UK GDPR.

If you are unsure of anything we have mentioned in the blog above and feel that you would benefit from the peace of mind and additional support available working with specialists in this field, please contact us here and take advantage of your complimentary 30-minute consultation.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.