On 10 November 2021, the Supreme Court unanimously allowed the appeal and ruled in favour of Google in a landmark decision which is likely to have far-reaching consequences as it examined the extent to which damages will be awarded to claimants in a class action lawsuit for the loss of control of their data. As the material breach to this claim occurred in between 2011 and 2012, the primary legislation relied upon by the Court was the Data Protection Act 1998, and not the Data Protection Act 2018.
In summary, Mr Lloyd brought a claim as a representative action against Google on behalf of approximately 4 million individuals, claiming that Google had unlawfully processed data without users’ consent from their mobile phones, to track cookies for the purposes of targeted advertising. According to the law, a representative action can be brought by a representative of others and they must have the same interest in the claim. It was argued that Mr Lloyd satisfied the ‘same interest’ test as every individual had their data protection rights breached.
The court had to decide on the question of the same interest: whether the requirement for the ‘same interest’ can be satisfied if the distress suffered by the claimant class differs amongst the individuals. The Supreme Court held that it is not possible to satisfy this test and obtain damages for the class as a whole without proof of individual circumstances. This is not to say that a similar case could not succeed in the future, however, the case as pleaded, with the evidence it had available, could not quantify the actual loss suffered from each and every individual Mr Lloyd’s case was brought on behalf of. As such, the Supreme Court held that the claim, ultimately, could not succeed.
Another issue considered by the Court was regarding the damages for loss of control. The claimant argued that a uniform sum of damages could be awarded to each class member without the need to prove individual facts – on the basis that damages could be awarded under the Data Protection Act 1998 (DPA) for ‘loss of control’ of personal data established by a non-trivial contravention of the DPA requirements. The Court held that a claim for damages for the unlawful processing of data under the DPA required proof of the damage (either material damage or mental distress) which must be distinct from, and caused by, the unlawful processing – meaning it could not be the unlawful processing itself. Nevertheless, to determine the extent of damages, the court would need to assess individual circumstances as without it, it would be impossible to conclude that the damage was more than trivial.
What is the impact?
This judgment demonstrated that under S.13 of the DPA, the claimants must demonstrate damage, in the form of distress of financial loss, to successfully claim compensation, and mere unlawful processing itself is not sufficient. To have a cause of action, claimants must show proof of financial loss or distress. This definitely puts the evidential bar for claimants higher, and may result in fewer claims being pursued for minor data breaches.
A claim for damages will not be able to be brought using a representative action procedure unless the damages can be assessed for all of the members of the class, considering individual circumstances and with the participation of the individuals concerned. This means that in theory, a class of individuals could still bring a claim for a data breach by bringing claims individually to prove their loss and recover compensation. Damages can still be claimed in a representative action if they are genuinely common to all the individuals in the class – however this is very unlikely in reality. It also remains a possibility for group claimants to pursue claims under a Group Litigation Order (where individuals claimants’ claims are managed together) – but this process is a lot more costly and complicated. As such, there are certainly going to be ramification for Claimant law firms on how they approach data protection claims, and whether the claims are still cost effective for them given the increased evidence required in each individual claim in a representative action claim.
Data controllers will find this decision very favourable to them, however, they still must take data protection very seriously. This decision should in no way be a let off for Data Controllers, as this by no means diminishes the requirements of them from the Data Protection Act 2018 and the UK GDPR. This case, whilst favourable to Google, does not state that the breach did not occur. There was ultimately still a breach, however, only due to the way in which the case was pleaded and brought to Court, did the claim fail – not any positive actions on Google regarding the breach itself.