On 10 November 2021, the Supreme Court handed down its judgment. This was a representative data protection claim for damages for loss of control over data. In a unanimous decision delivered by Lord Legatt, Google’s appeal to prevent service of the proceedings out of the UK (and in doing so considering the merits of the claim) was allowed.
Facts of the case
Mr Lloyd issued a claim against Google alleging that in 2011 and 2012, Google tracked the internet and browsing activity of Apple iPhone users in secret by using the “Safari Workaround”1 resulting in the placing of the “DoubleClick Ad” cookie without their consent or knowledge. Mr Lloyd further alleged that the data Google had collected was used for commercial purposes.
As Google LLC is registered in Delaware, USA, Mr Lloyd required the UK Court’s permission to serve the proceedings out of the jurisdiction. This was contested by Google claiming that the claim had no reasonable prospect of success.
It is important to note that the factual background and commencement of this claim were prior to the implementation of the GDPR and therefore is solely based on the Data Protection Act 1998.
Court decision
The essence of Mr Lloyd’s representative claim (on behalf of an excess of an estimated 4 million iPhone users in the UK at the time) was that:
- the claim could be brought as a representative claim because the class of potential claimants have the “same interest” in the claim
- compensation (in the form of damages for “loss of control” of personal data) could be awarded under the Data Protection Act 1998 without individual assessment, and without the claimant having to prove they suffered any financial loss or distress as a result of Google’s breach; and
- the level of damages was advanced to be £750 per breach.
Mr Lloyd did not claim for misuse of personal information in the claim, but focused solely on redress under the Section 13 of the Data Protection Act 1998. This case also did not seek to challenge the previous ruling in Gulati.
In assessing the merits of the claim, the Court assessed the intention of Section 13 of the Data Protection Act 1998.
The judgment was clear, in order to recover compensation under Section 13, it is not enough to simply prove a breach has taken place2 the damage or distress must arise as a direct result of the breach.
Similarly, the recovery of damages for distress “would require evidence of such distress from each individual for whom such a claim…this would be incompatible with claiming damages on a representative basis”.
This aspect was fundamental to the claim as it had been constructed on the basis that no individual assessment of damages was necessary for it to success.
On a strict review of the wording of the DPA1998, Lord Leggatt noted that “loss of control” is “not an expression used” in the legislation and, therefore, cannot be read into it in order to allow loss of control damages to be claimed in the same way as for misuse of private information. Mr Lloyd’s claim for damages on a “loss of control” basis was therefore rejected.
In the current proceedings, Lord Leggatt did not consider that that facts alleged were sufficient to establish that any one member of the class would be entitled to damages. This did not reach the threshold of seriousness to be met under the DPA 1998 before there can be an entitled to compensation under Section 13.
Moving forward
The ruling is clear, there is no automatic entitlement to damages from a mere contravention by a data controller. There is (i) a minimum threshold of seriousness to be met before a claimant would be entitled to claim damages under the Data Protection Act 1998, (ii) the damage or distress must flow from the contravention itself, and (iii) it must be assessed on an individual basis. Mr Lloyd’s claim therefore failed to establish this on an individual level, and therefore, when extrapolated to a representative action, meant that the form of proceedings was inappropriate and, in the words of Lord Leggatt “doomed to fail”.
However, whilst the Supreme Court considered that the claim, as put forward by Mr Lloyd, was “doomed to fail”, the Supreme Court did consider that a representative action could have worked if it was only seeking to establish liability.
It is also worth underlining that this case was based on the old statutory position. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 do allow for compensation where there is “material and non-material damage” and whilst not defined Recital 85 of the UK GDPR cites loss of personal data as an example of non-material damage.
As set out above, the judgment did close the door on some specific types of representative actions. However, this is only one of a recent number of High Court decisions which offer hope to data controllers facing claims of breach of data protection and related law.
1 The Safari Workaround is now not an unknown entity, and Google has previously paid civil penalties in the multi-millions to settle consumer based actions as well as US Federal Trade Commission claims.
2 Paragraph 92 of his judgment.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at December 2021.