Class-action style compensation not allowed under the data protection law

  1. Home
  2. Latest
  3. The case of Lloyd v Google

Class-action style compensation not allowed under the data protection law

Class-action style compensation not allowed under the data protection law

In what has been one of the most anticipated decisions in the world of data protection over the past few years, the Supreme Court has today unanimously allowed Google’s appeal against a Court of Appeal judgment.

The case led by Mr Lloyd, a former director of Which?, would have allowed representative action to be pursued against Google, by approximately 4 million iPhone users, in relation to Google’s unauthorised collection of their data.

Lloyd sought to extend Britain's class action regime under rule 19.6 of the Civil Procedure Rules— rule 19.6 allows a claim to be brought by one or more persons as representatives of others who have the "same interest" in the claim—to include compensation claims for misuse of data, even if there is no obvious financial loss or distress.

Lloyd argued for the Court to disavow the individual circumstances of each data subject affected by the breach and instead award damages to each class member on a “lowest common denominator” basis. He argued that the lowest common denominator was every iPhone user affected by the breach and as such each person should receive an award in respect of their “loss of control” of their personal data. This being a uniform sum of £750 per person. Given the number of people represented, this would have meant an award of around £3 billion.

The Court however unanimously rejected this on two main grounds:

  • Damages are only recoverable for “loss of control” of data under section 13 of the Data Protection Act 1998 (“DPA 1998”) if there is pecuniary loss or distress suffered by an individual that claims for compensation under section 13 of the DPA 1998. In addition, claims for compensation under section 13 of the DPA 1998 require damages caused by unlawful processing, which is suffered before there is an entitlement to compensation, not after and simply due to the unlawful processing itself.

  • Secondly, the Court analysed the need for individual evidence of misuse of personal data in the context of representative actions. The Court found that whilst in representative actions each person can have a separate cause of action and remedies can include monetary awards such as damages, such damages must then be calculable on a common basis but will ultimately require an examination of the individual circumstances of the damage suffered by each person. As such, in order to calculate damages where there is a data breach it was necessary to look at, for example, how long the data had been collected for, the quantity of data involved, whether the data was sensitive/private, the use made of the data and the commercial benefit that was derived from using it etc. Lloyd attempted to pursue a claim without having such substantive information, which the Court concluded that in the absence of such evidence a claimant is not entitled to compensation.

A victory for Google and the wider business community is welcome, but it is by no means the end of group litigation for data protection breaches.

The Information Commissioner supported Mr Lloyd’s claim that “damage” under section 13 of the DPA 98 should include a “loss of control”, and given the underlying issues with England and Wales’ collective redress regimes when it comes to what individually would be low value claims – in an increasingly tech dominated world in which data is considered the new oil, an eye should be kept open on what Parliament’s reaction will be. And of course, this decision relates to the law as it was pre-GDPR, and so it may be the case that a similar issue in a post-GDPR world could yield a different result.

A link to the full judgement can be found here.

Get in touch

If you would like to discuss any of the issues raised in this article, or need any advice, please contact Matthew Holman.

This article was prepared by Salvatore Anania.

Whether we're negotiating, drafting or reviewing trading contracts, or advising on issues of data protection and technology law, our Commercial, Technology & Data team always start with what's in the client's best commercial interests.