Whilst the UK’s Supreme Court ruled in favour of Google in a case that could have had far-reaching consequences for the internet giant and the business environment, UK courts will continue to award significant compensation in data or privacy breach cases if claimants can show individual damage.
In the case Lloyd v Google, former Which? director Richard Lloyd claimed that Google had secretly collected personal data for commercial purposes through the Apple Safari web browser from millions of iPhone users in England and Wales in late 2011 and early 2012.
In May 2017, Mr Lloyd began legal action against Google, alleging breaches of the relevant privacy legislation at the time, namely the Data Protection Act 1998 (“DPA 1998”). The DPA 1998 has since been replaced by the UK General Data Protection Regulations, supplemented by the Data Protection Act 2018 (“DPA 2018”). Mr Lloyd pursued the claim using a class action process known as a ‘representative action’ which allows a claim to be brought by one or more persons as representatives of others who have the same interest in the claim. Mr Lloyd sought around £750 per member of the class, which was estimated at about 4.4 million iPhone users. The total cost could therefore potentially have reached £3.3 trillion.
The legal process
As Google is a Delaware based corporation, Mr Lloyd had to seek the permission of the Court to serve legal proceedings on Google outside the Court’s jurisdiction i.e. in the US. To succeed, Mr Lloyd was required to show that the claim had a ‘reasonable prospect of success’. Google strongly contested that claim.
At first instance in the High Court in 2018, Mr. Lloyd’s claim failed with the judge, Mr Justice Warby, concluding that the claimants had not evidenced that they had suffered any ‘damage’ or distress and did not have the same interest in the claim. However, the Court of Appeal in 2019 reversed the High Court decision, ruling that the members of the class did indeed have the same interest and were entitled to recover damages under the DPA 1998. It was against this backdrop that the claim reached the Supreme Court in April 2021 for a hearing on Google’s appeal.
The Supreme Court had two main issues to consider. Firstly, should the claimants be able to recover damages even though there was no evidence of financial loss or distress; the claims ultimately being in relation to a loss of control of data rather than material damage? Secondly, was a representative action suitable for the sort of claim pursued?
On the first point, ruling unanimously and led by Lord Justice Leggatt, the Court took the view that the requirement in the DPA 1998 for each individual claimant to prove ‘damage’ was fatal; a loss of control of data does not necessarily cause any such loss or injury. In other words, ‘damage’ refers to material damage (such as financial loss) or mental distress, quite separate from the unlawful processing of the data itself. There is a benchmark of seriousness which must be reached.
Turning to the second point, the Court took the view that proving ‘damage’ under section 13, would necessitate an assessment of the loss to each individual claimant, based upon Google’s unlawful processing of their personal data. This would require a hefty factual analysis of the harm suffered by each person, starting with an examination of each claimant’s iPhone model, software versions, tracking settings etc. and a review of each individual’s material damage. The nominal figure of £750 per claimant was not an accurate reflection of individual ‘damage’. In fact, Leggatt LJ surmised that Google’s improper use of the data would, for some, have merely led to their being tracked on a single website; damages for such a breach would essentially be valueless.
On these bases, whilst the Court acknowledged a representative action could be useful in seeking redress for an entire class of claimants with ’the same interest’, the need to evidence material damage or distress on an individual basis meant the representative action did not have a reasonable prospect of success. Only where all the claimants were entitled to the same level of damages, or sought the same form of non-financial redress, would a representative action be the appropriate litigation vehicle. Accordingly, Google’s appeal was allowed, and the claim failed.
The Court’s ruling that individual claimants are required to evidence the damage for which they bring a claim is hardly surprising. In England & Wales, where the legal purpose of damages is to put the claimant into the position they would have been but for the breach (and no further), this was the natural and expected conclusion to these proceedings. However, the Court was quick to point out that Mr Lloyd may have had other more fertile arguments available to him, had he chosen to pursue them.
In addition to claiming damages for distress under the DPA 1998, a claim could have been put forward for the misuse of private data (a relatively new and distinct tort in itself), thereby potentially precluding the need to evidence damage.
Unfortunately for Mr Lloyd however, this line of argument would still have required an individual assessment of the expectation of privacy on behalf of each claimant, meaning a representative action would not have been an appropriate legal mechanism to use.
Whilst the Court pointed out that its decision was strictly based upon the provisions of the DPA 1998, the similarity of the breach compensation language in the GDPR and the DPA 2018 led to suggestions that this decision is likely to be considered useful precedent in deciding claims based on those more recent data privacy and protection regimes. If this is the case, and in the absence of government intervention to create a separate compensation framework for low value data protection breaches, it would appear likely that most claimants will need to show individual damage which is above and beyond merely de minimis nuisance in order to recover damages.
To be clear, representative actions remain an option. What has been curtailed is the opportunity for claims to be filed for personal data breaches on behalf of claimants who are not even aware of the claim and/or who may have not even suffered any damage or distress. This should immediately send a warning shot across the bow to those filing speculative or vexatious claims.
Whilst this decision will be welcomed by major corporates, celebration must be tempered by the fact that UK courts will continue to award significant compensation to those able to evidence damage in instances where data or privacy breaches are particularly harmful to the claimant. One need only look at the awards of between £2,500 and £12,500 to the claimants in the matter of TLT and others v Secretary of State for the Home Department (where the claimants’ personal information was publicly shared on a list of individuals seeking asylum in the UK) or the awards of between £72,500 and £260,250 per claimant to those affected by the News of the World’s illicit phone hacking in Representative Claimants v MGN Limited.
Furthermore, British Airways’ confidential settlement in July 2021 of the GLO action allegedly pursued by over 22,000 claimants following a ‘form jacking’ attack (which led to the disclosure of over 400,000 customers’ addresses, credit card details, logins, and travel information) shows that these actions are likely to continue to cause significant pain where claimants opt in to the action individually. Of course, alongside the sums paid to conclude the civil matter, BA was also fined £20m by the Information Commissioners Office (ICO).
The Lloyd v Google decision does, however sound the death knell, at least for the time being, for mass group litigation for relatively minor data protection breaches where there are simply too many individual claimants for each to evidence individual loss or distress. In the absence of procedural change allowing such claims to proceed, the major deterrent to those willing to misuse private data for commercial purposes remains the fines imposed by the ICO, limited to the higher of £17.5m or 4% of annual worldwide turnover, or more potently, the reputational impact that such actions are likely to have.
Public liability, employers’ liability and professional indemnity policies may come with an extension relating to claims resulting from data protection breaches, whether under the GDPR, the DPA 2018 or the DPA 1998. However, policyholders are advised to review their wordings carefully with their broker, noting in particular whether cover extends to claims based on tortious causes of action such as misuse of private information or breach of confidence.
Market-leading standalone cyber policies provide third party liability cover for claims based on privacy breaches, as well as first party costs for dealing with privacy breaches and associated regulatory investigations. Fines and penalties are covered only if insurable by law.
For further details, please contact:
Sam Ellerton, Regional Claims Leader
T: +44 (0)121 232 4563
Vanessa Cathie, Global Professional & Financial Risks
T: +44 (0)20 7933 2478