The Supreme Court has finally provided its judgment in the key data protection case of Lloyd v. Google. This decision has been hotly awaited in the hope that it would give companies some clarity – in particular, as to whether damages are available for breaches of the Data Protection Act 1998 as a result of a loss of control of data.
For some time, claimant’s lawyers have cited the Court of Appeal judgment in Lloyd v. Google to support their client’s compensation claims. This Supreme Court judgment in favour of Google will be welcomed as a sensible clarification of the law, making it potentially more difficult to pursue claims and representative actions in relation to “trivial” breaches or breaches where no actual “damage” has been suffered by the claimant(s).
Many have been writing about this case, but in this article, we look at some of the nuances and practical takeaways.
Background to the claim
In this case, Mr. Lloyd alleged that, between August 2011 and February 2012, Google placed DoubleClick advertising tracking cookies on iPhones via the Apple ‘Safari’ browser without the consent of the iPhone user. The claimant alleged that the cookies were able to collect and aggregate considerable information about the affected individuals for the purposes of targeting advertisements.
Mr. Lloyd brought a claim against Google not only on behalf of himself but also on behalf of over four million individuals he claimed were affected by Google’s alleged activities and sought to serve the claim on Google out of the jurisdiction in Delaware.
The key legal points
The most interesting points in Lloyd’s claim were the following:
1) Lowest common denominator approach
First, he argued that under the Civil Procedure Rules, a representative action can be brought pursuant to CPR 19.6. This allows a claim to be brought by (or against) one or more persons as representatives of others who have the “same interest” in the claim. The claim can be brought on an opt-out basis, that is, there is no need for an individual to agree to be part of the claim in order to be represented in it. Lloyd argued that the court could therefore award damages to each individual represented by applying what the Court of Appeal described as the “lowest common denominator” approach, namely that each individual represented would receive in damages the amount due to the person least affected (in this case, Lloyd suggested the sum of £750 per person). Lloyd made this concession in order to be able to argue that all claimants had sustained the same loss. We have also subsequently seen various law firms and individuals in separate cases cite £750 as a purported magic number of what can be awarded by way of compensation.
2) Damages for “loss of control”
Second, Lloyd argued that under section 13 of the Data Protection Act 1998 (DPA 1998) (the applicable law at the time of Google’s alleged actions), damages could be awarded for the mere “loss of control” of data, even where no pecuniary loss (or distress) had occurred.
Google was successful in the High Court in 2018, but the first instance decision was overturned by the Court of Appeal in 2019, which held that Mr. Lloyd should be permitted to serve his claim on Google.