The Supreme Court has upheld Google's appeal in Lloyd v Google, limiting the ability for individuals to recover damages under data protection law for simple loss of control of their personal data. The judgment also limits the extent to which representative actions can be used under English law in relation to claims.
Background
Lloyd v Google is a long running case, arising out of steps taken by Google in 2012 that are alleged to have circumvented privacy protections in the Safari web browser on iPhones. These steps enabled Google to track individuals across websites and then use that information for targeted advertising.
Mr Lloyd brought a representative action against Google seeking damages. The representative action was brought on behalf of an estimated 4m users, meaning damages (if awarded) could be billions of pounds. Representative actions can be used where all claimants have the same interest in the claim. In this case, Mr Lloyd argued that everyone within the class was entitled to the same damages as they had each encountered the same loss of control of their data.
As Mr Lloyd needed approval to serve proceedings on Google Inc outside the UK, the Court had to assess whether his claim had a reasonable prospect of success. The Court of Appeal upheld Mr Lloyd's argument, overturning the High Court's decision. Google appealed to the Supreme Court and asked the Supreme court to rule on whether an individual is entitled to damages for simple loss of control of their personal data and whether such claim could be brought by way of a representative action.
While Lloyd v Google arose out of a workaround used by Google on the iPhone, the issues at the heart of the case are directly relevant to the extent to which businesses and other organisations might be liable for damages arising out of a cyber attack or personal data breach. If organisations can be liable under representative actions for simple loss of control, then there is no need for individuals to show actual damage or distress and for each individual to bring his or her own action. That would expose organisations to claims running into many millions (if not billions) of pounds.
The Court's decision
The Court upheld Google's appeal. On the two points:
- Damages for loss of control of personal data - the Court held that while damages for loss of control may be recoverable for misuse of private information, they are not recoverable for a breach of the Data Protection Act 1998. Individuals must be able to show damage or distress. The actual damage or distress suffered will be fact specific to each individual.
- Representative actions - while a representative action can be used to establish liability for a breach, as damages for loss of control are not recoverable, the damages due to any individual would need to be considered on a case by case basis (either in an individual or group action).
Implications
The action giving rise to the claim in Lloyd v Google predates GDPR and was brought under the Data Protection Act 1998. While the relevant legislation is similar, it is remains to be seen whether a similar action brought in the future under GDPR may lead to a different outcome. In the meantime, businesses and other organisations that process personal data (and their insurers) will welcome the judgment.
In the last couple of years, many organisations will have received claims for £500 or £750 for minor data protection breaches or data loss incidents on the basis of a loss of control claim. Claims arising out a number of high profile cyber attacks have been stayed pending the outcome of Lloyd v Google.
The judgment is likely to have a substantial impact on claims arising out of cyber incidents and other personal data breaches, as each data subject will need to demonstrate the damage or distress that they have suffered. Another recent case, Warren v DSG Retail, has also limited the extent to which claimants can rely on the tort of misuse of private information or breach of confidence in relation to cyber attacks.
While litigation funding is potentially available, and it may still be possible in certain cases to bring a claim for loss of control under the tort of misuse of private information, such claims become much less attractive to funders if there is no "easy" claim for loss of control and each claimant instead needs to show the damage or distress that they have actually suffered. In many cases that will be difficult or impossible to do.
More information
We are hosting a webinar on Lloyd v Google on Wednesday 24 November. We'll consider the judgment, and what it means, including its relevance to representative actions under Scots law.
You can also read the Supreme Court's judgment and press summary.
In the meantime, if you would like to discuss the judgment or have any questions, please get in touch.
