The action, brought by Richard Lloyd on an ‘opt-out’ basis, was potentially worth £3bn.
In Lloyd v Google [2021] UKSC 50, Lloyd had claimed Google breached its duties as a data controller to more than four million Apple iPhone users by collecting and using their browser generated information during a period of some months in 2011-12. He applied for permission to serve the claim out of the jurisdiction.
The case centred on whether Lloyd should have been refused permission to serve the claim out of the jurisdiction because members of the class had not suffered ‘damage’ within the meaning of the Data Protection Act (DPA), and whether Lloyd could act as a representative of the other members.
The Supreme Court unanimously allowed the appeal, ruling in favour of Google.
Caroline Harbord, senior associate at Forsters, said: ‘The judgment narrows the scope for group claims arising from data breaches where no material damage has been caused by the breach.
‘The court held that to sustain a claim under s 13 of the DPA, the relevant breach must have caused material financial damage or distress. A claim cannot be sustained simply because of the fact of the breach alone.
‘The practical effect of the judgment means the Supreme Court has deprived the affected class (who have had their data stolen and commercialised by Google) of an effective remedy for this wrong, and puts the English courts at odds with the judicial approach taken by the US, Canadian and Australian courts. While the Supreme Court held that it would have been open to Mr Lloyd to invite the court to decide the primary issue of liability in representative proceedings, with individual follow-on claims to assess damages, the Supreme Court acknowledged that this would not be a cost effective, and therefore viable, approach.’
Harbord said the decision was surprising, given the Competition Appeal Tribunal’s recent decision to certify large-scale opt-out collective proceedings in Le Patourel v BT [2021] CAT 30. She said: ‘It is hard not to feel the Supreme Court has been unduly conservative in its approach, and shied away from an opportunity to impose a new check and balance on large scale data controllers.’
Consumer lawyer Rocio Concha, Which? Director of Policy and Advocacy, said: ‘This will be disappointing news for millions of consumers who may now struggle to get redress for potentially having had their personal data exploited by Google.
‘People who have suffered from data breaches must be able to hold big companies to account and get the redress they deserve.’
However, Richard Beaty, consultant employed barrister at Kennedys, said ‘Businesses and insurers across the UK will be breathing a sigh of relief at [this] judgment, which signifies a return to orthodoxy in terms of causation in data protection claims.
‘Low value data protection claims for relatively minor infringements of the UK GDPR were in danger of becoming the new pre-tariff personal injury whiplash type claims, but this judgment should help to stem the tide of litigated claims where claimants did not need to prove that they had suffered from any form of consequential financial or distress based or loss. The ruling also slows the move towards allowing US-style opt put cases in the UK which will come as welcome news to insurers.’
Also welcoming the result, Leigh Mallon, partner at Steptoe & Johnson, said: ‘The decision is a significant win for Google and is a welcome development for data controllers the world over.
‘While data controllers will continue to face increasing activity from supervisory authorities, it is almost impossible for individuals to bring private damages claims because the legal costs of doing so will far exceed any damages that might be recovered. The Supreme Court’s landmark judgment rejects the claimants’ argument that the loss of control of personal data has an intrinsic value capable of compensation.
‘Instead, the Court held that each claimant must establish that they have personally suffered some form of material damage such as financial loss or mental distress resulting from the alleged breach.’