Clarification on damages for data breaches handed down by Supreme Court

12 Nov 2021

On 10 November 2021, the Supreme Court handed down its judgment in Lloyd v Google LLC leading to a saving of £3billion in compensation claims.
Richard Lloyd, a former executive director of Which?, sought to act as a representative in respect of a claim against Google for damages allegedly suffered by iPhone users as a result of the unlawful processing of personal data. His claim for compensation revolved around the “loss of control” of each claimant’s personal data. Mr Lloyd’s claim sought to rely on Civil Procedure Rules 19.6 which allows one or more individuals to act as a representative for parties who have the same interest without the Court having to investigate each Claimant’s individual circumstances, in this case the other iPhone users whose rights were infringed by Google’s breach of Data Protection laws.
Google disputed the application on the basis that CPR19.6 was not applicable to this type of claim. They argued that damages cannot be awarded under the Data Protection Act 1998 (“DPA”) without proof that a breach of the Act caused financial loss or other material damage to the Claimant, or that they have suffered distress as a result of the breach. If accepted by the Court this would mean that each Claimant’s individual consequences would have to be reviewed to determine whether they suffered loss.
The High Court agreed with Google but that decision was later overturned by the Court of Appeal in favour of Mr Lloyd. The Supreme Court confirmed the original decision by a unanimous verdict on the basis of its interpretation of 13(1) of the DPA which states “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.
Lord Leggatt in his judgment stated that the above wording “is inconsistent with an entitlement to compensation based solely on proof of the contravention”. Instead a Claimant must prove material damage or distress to be entitled to compensation under the DPA.
This year has seen an array of data controllers receiving record fines from ICO for data breaches and so this decision is likely to come as welcome clarification for those data controllers who may be subject to class actions by individuals following a breach, especially where the breach is trivial in nature. It is, however, worth remembering that a Claimant can still claim damages under tort law but that test is based on the value of that data and what may have been paid for it.
If you have been the subject of a data breach and want to discuss whether you are entitled to damages please contact Cathryn Culverhouse.

Further reading

Mark Diamond joins DMH Stallard

New Partner specialising in M&A joins our expanding Corporate team, in Gatwick
Read more Read

DMH Stallard supports charities helping young people dress for success

Our London office has supported two charities supplying unemployed men and women with clothes for job interviews
Read more Read

Amazon announces they will no longer be accepting UK issued Visa credit card payments

Jonathan Compton comments on the potential issues this may cause in the competition market in the future
Read more Read

Clarification on damages for data breaches handed down by Supreme Court

On 10 November 2021, the Supreme Court handed down its judgment in Lloyd v Google LLC leading to a saving of £3billion in compensation claims
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch