Last week, the UK Supreme Court gave its judgment in Lloyd v Google LLC, a case that could have paved the way for data breach claims against the tech giant through one class action.
The Supreme Court unanimously allowed Google’s appeal, preventing consumer rights activist Mr Lloyd from continuing his claim. The Supreme Court’s judgment had been keenly awaited, as it has significant implications for the future landscape of data breach claims in the UK.
Mr Lloyd is a consumer rights activist and former director of Which? His claim alleged that Google breached the duties that it owed to more than four million Apple iPhone users in the UK as a data controller under the Data Protection Act 1998 (DPA 1998), during a period of some months in 2011-2012, when Google was allegedly able to collect and use their browser-generated information as a result of a Safari workaround.
Mr Lloyd sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way, and applied to the court for permission to serve the claim out of the jurisdiction, as the Google corporation is based in the US. Following a Court of Appeal judgment, which gave Mr Lloyd permission to serve his representative action, Google appealed to the Supreme Court.
The Supreme Court held that while a representative claim could have been brought to first establish a claim in principle against Google with a view to then pursuing individual claims once established, Mr Lloyd had not adopted this two-stage process. The court emphasised the fact that Mr Lloyd had argued that the class could be assessed as one with a uniform sum being recovered, with £750 suggested. It was the Supreme Court’s decision that the claim cannot succeed because it has no real prospect of success.
That is because, in the way the claim was framed, to try to bring it as a representative action, Mr Lloyd sought damages under section 13 of the DPA 1998, “for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google”.
The Supreme Court’s judgment reiterates the need for claimants to demonstrate damages, whether they are in the form of distress or financial loss, to successfully claim pursuant to section 13 of the DPA 1998. The decision places boundaries around the categories of individuals who are likely to succeed in claiming damages and reinforces the de minimis approach taken by the courts to date.
Another recent case, Rolfe v Veale Wasborough Vizards LLP, has confirmed that in a data breach claim, the claimant must establish that they have suffered material or non-material loss resulting from the data breach, which is above a certain lower threshold, before they could be awarded compensation. As a warning to claimants, the claim was criticised for being “plainly exaggerated” and inappropriate.
The Supreme Court’s decision in Lloyd v Google shows an unwillingness to group individuals into a representative action and award a “uniform sum” for damages without properly inspecting the circumstances of their claims and requiring those circumstances to be proven. The Supreme Court provided some helpful guidance around the factors that may differentiate individual data subjects, such as the volume and categories of data, the sensitivity of that data and the benefit afforded to the data controller as a result of the misuse.
The decision that the representative action should not be allowed to proceed in any event is in line with the trend that ‘opt-out’ representative actions, as seen in the US, are not commonplace in the UK data protection litigation landscape. This is consistent with the current climate in the UK and does not further open the floodgates for claimants to make claims on behalf of large swathes of individuals without those individuals first being identified and particularising their claim.
The decision itself provides some very welcome commentary on damages for data protection claims and the approach to class actions in the UK. As this judgment was given by the Supreme Court, it cannot be taken any further but it is likely to have a very significant impact on a number of existing claims and those waiting in the wings.
That the floodgates for large-scale representative claims have not been opened by the Supreme Court has been largely welcomed, however we do not expect this to be the end of attempts to use the courts to claim compensation from large corporations for alleged data breaches.
Contributed by Helen Bourne, partner and Madeleine Shanks, associate, Clyde & Co