On 10 November 2021, the Supreme Court handed down its judgment in Lloyd v Google LLC leading to a saving of £3billion in compensation claims.
Richard Lloyd, a former executive director of Which?, sought to act as a representative in respect of a claim against Google for damages allegedly suffered by iPhone users as a result of the unlawful processing of personal data. His claim for compensation revolved around the “loss of control” of each claimant’s personal data. Mr Lloyd’s claim sought to rely on Civil Procedure Rules 19.6 which allows one or more individuals to act as a representative for parties who have the same interest without the Court having to investigate each Claimant’s individual circumstances, in this case the other iPhone users whose rights were infringed by Google’s breach of Data Protection laws.
Google disputed the application on the basis that CPR19.6 was not applicable to this type of claim. They argued that damages cannot be awarded under the Data Protection Act 1998 (“DPA”) without proof that a breach of the Act caused financial loss or other material damage to the Claimant, or that they have suffered distress as a result of the breach. If accepted by the Court this would mean that each Claimant’s individual consequences would have to be reviewed to determine whether they suffered loss.
The High Court agreed with Google but that decision was later overturned by the Court of Appeal in favour of Mr Lloyd. The Supreme Court confirmed the original decision by a unanimous verdict on the basis of its interpretation of 13(1) of the DPA which states “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.
Lord Leggatt in his judgment stated that the above wording “is inconsistent with an entitlement to compensation based solely on proof of the contravention”. Instead a Claimant must prove material damage or distress to be entitled to compensation under the DPA.
This year has seen an array of data controllers receiving record fines from ICO for data breaches and so this decision is likely to come as welcome clarification for those data controllers who may be subject to class actions by individuals following a breach, especially where the breach is trivial in nature. It is, however, worth remembering that a Claimant can still claim damages under tort law but that test is based on the value of that data and what may have been paid for it.
If you have been the subject of a data breach and want to discuss whether you are entitled to damages please contact Cathryn Culverhouse.