‘Loss of control’ of data insufficient basis for damages claim

A much-anticipated Supreme Court judgment has overturned a Court of Appeal decision in the case of Lloyd v Google, refusing the claimant’s application for permission to serve proceedings on Google in the US.  The case has important ramifications for data protection litigation in the UK as it establishes that damages are only available to compensate for financial loss or distress and not for mere ‘loss of control’ as result of a data breach.

It also establishes that an ‘opt-out’ class (or group) claim for data breach requires an individual assessment of damages to succeed, (unless a ‘same interest’ in the claim can be established.) This decision will help to prevent an anticipated floodgate of US style ‘opt-out’ class actions following the earlier Court of Appeal ruling.

Facts of the Case

Mr Lloyd, a former director of Which?, brought a claim on behalf of 4.4 million iPhone users alleging that Google breached its duty as a data controller to comply with the data protection principles, by using a Safari browser ‘workaround’ during 2011-12. Although the default Safari setting blocked all third-party cookies, the workaround allowed Google to harvest the personal information of iPhone users of the browser, without their knowledge or consent, using a third-party cookie known as the ‘DoubleClick Ad’ cookie. Google then aggregated the data to target specific audiences and sold it to advertisers, contrary to its privacy policy.

Mr Lloyd chose not to pursue an individual claim but opted for a ‘novel’ approach backed by group litigation funders. In England and Wales there is generally no framework allowing a class action to be brought on behalf of every member of the class/group unless they have ‘opted out’ of doing so. Instead, Mr Lloyd brought a ‘representative action’ in relation to all iPhone users with the DoubleClick Ad cookie on these dates, on the basis they had the ‘same interest’ in the claim. Success depended upon showing that all affected individuals had suffered the same loss.

To avoid the need to show individual damages, Mr Lloyd argued that the individuals were entitled to damages for the ‘loss of control’ of their data and did not have to prove financial loss or distress. To meet with the ‘same interest’ requirement, he suggested a ‘uniform sum’ of £750 per person as damages, representing a total award of £3 billion.  In the alternative, he suggested that everyone was entitled to damages equivalent to the amount they could have charged Google to buy use of their data.

Judgment

The court refused permission to serve the claim, stating that the way that it had been framed meant it had ‘no real prospect of success’:

• The approach was inconsistent with the meaning of s.13 of the Data Protection Act 1998. This states that material damage (i.e., financial loss) or distress must be suffered to claim compensation, whereas ‘loss of control’ might be less serious. Damages that arise are distinct from the breach by the data controller and the two cannot be ‘conflated’ by claiming damages for ‘loss of control’.
• To assess compensation under s.13, it would be necessary to consider how individuals had been affected by the actions of the data controller (for example, what type of data had been processed and what commercial benefit had been derived). The ‘uniform sum’ and ‘user damages’ approach was therefore inappropriate.  Mr Lloyd was ‘doomed to fail’ by failing to evidence how Google had used the data unlawfully and to give an assessment of individual damages. The damage could therefore only be considered ‘trivial’.

The court concluded that although a representative claim could be viable if everyone had the ‘same interest’ this was not true in this case.  The impact on the represented class of iPhone users was not uniform. They had varying levels of interest in the case, as well as different amounts and types of data. The court reflected that a representative claim might have worked as a two-stage process, firstly to establish the claim in principle and secondly to pursue individual claims, but given the costs and time involved, this might have been unattractive to the litigation funders.

Comment

The judgment will be welcomed by data controllers and their insurers since it provides much needed clarification on the threshold for assessment of damages. This is especially helpful given the increased frequency of data privacy breaches due to cyber incidents.  It confirms that there is no automatic right to damages because of a breach. Damages must be ‘material’ and, where large-scale claims are involved, the details still need to be particularised for individuals.

Whilst this claim was brought under the pre-GDPR framework, the principles should apply equally to claims under the GDPR and Data Protection Act 2018. Some class actions were stayed pending the outcome of this case, but it is now less likely that litigation funders will have the appetite to pursue such claims, particularly if the award of individual damages is low.

If you would like any advice about the issues raised by this case, please contact our Commercial & Technology team.