Supreme Court delivers landmark judgment in mass data breach case

12th November 2021

In a welcome development for data controllers, the Supreme Court has this week delivered its much-anticipated judgment in the Lloyd v Google mass data breach case [1]. Specialists from Walker Morris’ Commercial Dispute Resolution team consider the decision and its practical implications.

What was the claim about?

Google placed a web tracking cookie relating to online advertising known as “DoubleClick” on Apple devices using the Safari web browser. This “Safari workaround” allowed certain default settings to be circumvented, thereby allowing targeted advertising to be displayed to users (without consent having been given). It also allowed vast amounts of information relating to users’ usage patterns to be collected, which was commercially valuable. As a result, Google was forced to pay USD 22.5 million in a civil settlement in 2012 with the United States Federal Trade Commission. This in turn led to a raft of consumer action being pursued.

Richard Lloyd (former executive director of consumer rights company Which?) sought to bring a representative action in the English courts on behalf of himself and an estimated class of 4.4 million Apple iPhone users. The claim alleged that Google had acted in breach of the duty imposed by section 4(4) of the Data Protection Act 1998 (the Act) [2]. The claim was for compensation under section 13(1) of the Act, which provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage.

No financial loss or distress was alleged. Mr Lloyd claimed a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.

High Court and Court of Appeal decisions

Mr Lloyd applied to the High Court for permission to serve the proceedings on Google in the United States. The application was dismissed on the basis that none of the represented class had suffered “damage” and the members of the class did not have the “same interest” within the relevant procedural rule [3] so as to justify allowing the claim to proceed as a representative action. In any event, the judge exercised his discretion against allowing the claim to proceed, describing it as “officious litigation”.

The Court of Appeal disagreed and reversed the decision, finding that a claimant can recover damages for mere “loss of control” of their data under section 13(1) of the Act, without proving financial loss or distress, and the members of the class that Mr Lloyd sought to represent did have the same interest and were identifiable.

That decision was significant because, even where the amount of compensation awarded might be low, the potential financial exposure could be considerable. Google appealed to the Supreme Court.

What did the Supreme Court decide?

The Supreme Court, in a unanimous decision, allowed Google’s appeal and restored the judgment of the High Court. The claim will now not proceed.

Given that the claim was only advanced under the Act (as opposed to a claim in tort for misuse of private information – presumably because in order to bring a claim in tort, Mr Lloyd would have had to adduce evidence to establish a reasonable expectation to privacy in the case of each individual claimant), the Supreme Court confirmed that “damage” under section 13(1) of the Act referred to material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing – i.e. it did not refer to the unlawful processing itself/mere loss of control of personal data.

Of course, given the number of individuals represented in this case, Mr Lloyd had not adduced such evidence in relation to each individual claimant (to do so would have been an administrative nightmare).

Mr Lloyd had sought to obviate the need for an individualised assessment of each individual claim by claiming damages for each class member on what is known as a “uniform per capita basis”. However, the effect of the Safari workaround was not uniform across the represented class and the Supreme Court determined that “without evidence of what use, if any, was actually made of personal data of that individual by Google…” the claim (as advanced) could not succeed. To recover compensation under the Act, it was necessary to prove what unlawful processing occurred in relation to each individual.

Mr Lloyd also sought to break new legal ground by arguing that the principles identified in Gulati v MGN Ltd [4], applicable to the assessment of damages for misuse of private information at common law, should also apply to the assessment of compensation under section 13(1) of the Act. In Gulati the judge stated that, “the damages should compensate not merely for distress…but also compensate (if appropriate) for the loss of privacy or autonomy as such arising out [of] the infringement by hacking…” i.e. the awards made in Gulati were to “compensate for the loss or diminution of a right to control formerly private information”.

The above arguments were rejected by the Supreme Court. It found that there was no reason why the basis upon which damages are awarded for an English domestic tort should be regarded as relevant to the proper interpretation of the term “damage” in a statutory provision intended to implement a European directive.  There are significant differences between the nature and scope of the common law privacy tort and data protection legislation (and this claim had only been advanced under the latter).

The Supreme Court pointed out that there was nothing preventing Mr Lloyd (or other individuals) from bringing a claim in their own right (in circumstances where evidence was adduced to support any such claim), but the claim could not succeed on the basis advanced.

Practical implications

This decision will be welcomed by data controllers across the board. However, it also has implications for those with an interest in the UK class actions landscape generally (including litigation funders and claims management firms/claimant focussed litigation firms).

The decision heads off what could have been the opening of the floodgates to mass data breach claims. While this is undoubtedly a landmark case that should allow data controllers a certain amount of breathing space, it does not necessarily signal the demise of such actions altogether, as claimants are likely to try to find alternative ways of framing their claims.

Nevertheless, this, alongside the recent decision in Rolfe [5] does demonstrate a shift in the courts’ attitude towards data breach claims, whether (as in the case of Rolfe) on the basis of triviality/merits or (as in this case) due to a failure to provide evidence of “damage” in respect of each individual claimant in the context of group litigation.

What is clear is that issues of data protection and privacy are very much on the courts’ radar and they will still enforce individuals’ rights where necessary. It is therefore important for organisations to take specialist legal advice when faced with investigating potential data breaches or allegations/claims relating to data and/or privacy breaches.

While the decision applied to interpretation of the Act, and not to current data protection legislation, we consider it unlikely that a claim made under current legislation would be any different in outcome.

How we can help

As explained above, this decision is unlikely to mark the end of data breach claims. Organisations therefore still need to be alive to the very real risk of such claims and the importance of ensuring they comply with their legal obligations.

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, and the experience of our multidisciplinary Technology & Digital Group, ensures that an informed and robust strategy can be adopted.

As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.

If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact Gwendoline Davies or Nick McQueen who will be very happy to help.

[1] [2021] UKSC 50

[2] since superseded by the UK GDPR and Data Protection Act 2018

[3] Rule 19.6 of the Civil Procedure Rules

[4] [2015] EWHC 1482 (Ch); [2015] EWCA Civ 1291

[5] See our briefing