Lloyd v Google  - Good News for Data Controllers
The Supreme Court has handed down judgment in Lloyd v Google on 10 November 2021 imposing boundaries on the expansion of the scope of personal data protection law.
The case concerned Google placing advertising tracking cookies on iPhones using Apple’s ‘Safari’ browser in England and Wales between August 2011 and February 2012. This “Safari workaround” allowed certain default settings to be bypassed, thereby allowing targeted advertising to be displayed to users (despite these users not providing their consent).
Mr. Lloyd issued a representative action on behalf of all the four million England and Wales residents who owned an iPhone at the time. The claim alleged that Google had breached its duty as a data controller under the Data Protection Act 1998 (the “DPA 1998’) and that compensation was available under section 13(1) of the Act. It was suggested that each claimant may be entitled to damages of up to £750 each, which would require Google to pay around £3 billion in compensation.
The Supreme Court allowed Google’s appeal for two key reasons:
- It is necessary to show that a failure to comply with the DPA 1998 has caused material damage or distress to the data subject; and
- It is necessary to prove what unlawful processing occurred in relation to each individual data subject.
The Court ruled that the approach taken by Mr. Lloyd had no real prospect of success and was in fact ‘doomed to fail’ (Lord Leggatt's Judgment Paragraph 8) under section 13 of the DPA 1998. There was no attempt made by Mr. Lloyd to show that any wrongful use was made by Google of personal data relating to each individual or that each individual suffered any material damage or distress.
Firstly, the claim for compensation was found exclusively under section 13 DPA 1998 which provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage". The Supreme Court held that on proper interpretation, the term “damage” referred to material damage or mental distress.
Mr. Lloyd attempted to bring a claim that a non-trivial breach of any data subject’s rights gives rise to an entitlement to compensation for “loss of control” of personal data. This argument was founded on the case of Gulati & Ors v MGN Ltd , which concerned phone hacking by journalists from the Mirror Group.
Gulati was a case framed in the tort of misuse of private information, rather than under data protection legislation. Despite not advancing a claim under misuse of private information, Mr. Lloyd argued that because the tort of misuse of private information and loss of control of personal data are both rooted in the right to privacy, the same approach to damages should be adopted. Lord Leggatt disagreed, reasoning that establishing a claim in misuse of private information is more difficult given the requirements of the tort: the information in question must be private and the misuse must arise from a deliberate act.
The claim advanced by Mr. Lloyd was fundamentally inconsistent with the wording under section 13 of the Data Protection Act 1998. Compensation can only be awarded if the claimant suffers material damage (financial loss or physical/psychological injury) or in some limited circumstances, distress (negative emotions not amounting to a recognised psychiatric illness) caused as a result of the breach. Unlike for claims under misuse of private information, the statutory wording does not allow for an entitlement to compensation for something less serious than distress, such as a loss of control.
Secondly, Mr. Lloyd had sought to eradicate the need for an individualised assessment of each individual claim by claiming damages for each class member on what is known as a ‘uniform per capita basis’. However, the effect of the Safari workaround was not uniform across the represented class and would be likely to impact those effected differently.
The Supreme Court disagreed that a uniform sum could be recovered and held that it is necessary to prove what unlawful processing by Google of personal data took place in relation to each individual claimant. However, the Court recognised that there was nothing preventing Mr. Lloyd (or other individuals) from bringing a claim in their own right (in circumstances where evidence supported any such claim), but the claim could not succeed on the basis advanced.
The case will have major implications for the emerging class action movement in England and Wales for low value data compensation claims. This judgment will likely diminish the appetite of commercial litigation funders, however, it does not signal the expiration of such actions altogether, as claimants are likely to find alternative ways of framing their claims.
It should be noted that Lord Leggatt makes clear in his judgment that his analysis relates to the position under the Data Protection Act 1998 and not the UK GDPR, nevertheless, given the similarities between the compensation provisions, it is likely that a similar view would be taken under GDPR.
The judgment also makes clear there is a distinction between how claims will be considered in data protection and misuse of private information.