A much awaited decision of the Supreme Court has recently put an end to a representative action which Richard Lloyd was seeking to bring against Google on behalf of millions of users of Apples iPhone. The decision was an important one both from a data protection perspective but also from a representative action point of view. Our Litigation team has provided an overview of the proceedings here.
In this article we will briefly remind you of the facts of the case and will then go on to discuss in detail the data protection issues that have been clarified by this litigation. Ultimately, however, this was a case that was based on the old legislation, namely the Data Protection Act 1998. We ask, would the result have been any different if the proceedings had been commenced more recently and based on a breach of the GDPR/Data Protection Act 2018 (which is now the law in force)?
Richard Lloyd, a former director of “Which?”, applied to the High Court, asking permission to serve proceedings on Google LLC (a Delaware company) outside the jurisdiction, for alleged breach of Data Protection Act 1998, which occurred between August 2011 and February 2012, when Google used its DoubleClick Ad cookie to allegedly track activity of millions of Apple iPhone users in the UK, selling data to interested third parties for marketing purposes.
To describe the proceedings in short, the High Court had refused Mr Lloyds application. Following that, on appeal the High Court’s decision was overturned by the Court of Appeal, and then, the Supreme Court had unanimously allowed Google’s appeal and restored the order made by the High Court. Supreme Court’s judgment was delivered by Lord Leggatt, with whom the other judges unanimously agreed.
The case attracted enough media attention and set on pause similar group litigations, involving other tech industry giants, such as TikTok.
Vidal-Hall v Google
Lloyd v Google was not the first case that involved proceedings against Google for breach of data protection laws. In England and Wales, in 2013 three individuals sued Google on the basis of very similar allegations, claiming the breach of DPA’98 and at common law for misuse of private information (Vidal-Hall v Google Inc  QB 1003).
The case of Vidal-Hall, however, differed from Lloyd v Google, as in that case the claimants were easily identifiable, whereas Mr Lloyd claimed that he could represent all users of Apple iPhones at the time the breach took place.
Vidal-Hall was a very important case for data breach damages cases. It established both that misuse of private information was a tort in its own right and whether compensation could be recovered for distress under section 13 of the DPA’98 in the absence of financial loss.
Position under the old Data Protection Act 1998
Section 4(4) of the DPA’98 imposed a duty on a data controller to comply with the Act’s data protection principles in relation to “all personal data with respect to which he is the data controller“.
Section 1 of the DPA’98 defined “personal data” as all recorded information which relate to an identifiable individual. An individual who was the subject of personal data was referred to as the “data subject”. A “data controller” was a person who (either alone or with others) determined “the purposes for which and the manner in which any personal data are, or are to be, processed.” The term “processing” was defined very broadly to mean “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data …”.
Section 2 of the DPA’98 established a category of “sensitive personal data” consisting of information about certain specified matters, such as racial or ethnic origin, political opinions and religious beliefs of the data subject.
Mr Lloyd alleged that, in contravention of the DPA’98, Google failed to inform data subjects of the purpose for which the data was intended to be processed. It has also failed to justify the processing of data, as required by the DPA’98.
The claim for compensation in Lloyd v Google was, therefore, founded on the basis of section 13 of the DPA’98, which provided an individual with a right to claim compensation where they have suffered damage “by reason of any contravention by a data controller of any of the requirements of the Act”. An individual could also claim distress, where “the individual also suffered damage by reason of such contravention” or “the contravention related to the processing of personal data for the special purposes”. Following Vidal-Hall v Google it was accepted that there was no need to show financial loss to be awarded damages under section 13 for distress. Mr Lloyd, however, sought to extend that by arguing that, under section 13, damages should have been awarded for “loss of control”, without the need to prove that the users had suffered any actual loss or distress (in much the same way as damages assessed for the tort of misuse of private information, discussed below).
Misuse of private information
Mr Lloyd relied on the principle in Gulati v MGN Ltd  EWHC 1482 (Ch), which concerned assessment of damages for wrongful invasion of privacy. Gulati established that damages for “loss of control” are available for the tort of misuse of private information (for misuse itself, with no requirement to prove distress) in addition to damages for distress.
The court, however, was not prepared to stretch the same principles to the present case, as not all information, allegedly misused by Google, could be called “private” information (defined in the previous case law as “something worth protecting as an aspect of human autonomy and dignity”) and, in any case, each persons’ damages needed to be assessed individually.
Position under the UK GDPR and the Data Protection Act 2018
The DPA’98 was enacted in the UK to implement the Data Protection Directive 95/46/EC, which, in turn, was superseded by the General Data Protection Regulation EU 2016/679 (GDPR), supplemented in the UK by the Data Protection Act 2018 (DPA’18).
Although the case of Lloyd v Google was resolved under the old DPA’98 and the court deliberately took a view not to provide any comparison with the new law, there have already been speculation about the wider implications of the case and whether or not it could still be applicable under the new DPA’18.
Article 82(1) of the UK GDPR provides that: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have a right to receive compensation from the controller or processor for the damage suffered”.
As clarified in section 168 of the DPA’18, “in Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress”. The compensation for “material damage” (e.g. financial loss) and “non-material damage” (e.g. distress) therefore follows section 13 of the old DPA’98. Recital 146 of the GDPR adds that “the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation” and that “data subjects should receive full and effective compensation for the damage they have suffered”.
Curiously, Recital 85 of the GDPR specifically cites “loss of control” over personal data as an example of the type of damage that a personal data breach can cause. It says that, “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data…”.
Interestingly, therefore, while Recital 85 gives “loss of control” as an example of something which might well give rise to damage it does not preclude an argument that “loss of control” would be actionable without evidence of material damage or distress and it could, for example, be argued that under the GDPR loss of control may fall into a wider category of non-material damage of which distress is one example (but not the only example).
It should, however, be remembered that the Recitals in the GDPR are not the law themselves but simply an aide to interpret what is in the body of the GDPR (i.e. the Articles).
Whether the outcome of Lloyd v Google would have been the same under the UK GDPR remains open. Certainly, the inclusion of Recital 85 opens the point up to argument. It seems clear that for anyone looking to bring a claim for a data breach under the GDPR it would be necessary to specify exactly what unlawful processing of personal data relating to each claimant occurred and provide for an individual assessment of damages. It would also be well worth considering whether the claim could be brought for misuse of private information but the success of that is likely to turn on the nature of the data/information that has been lost or misused.
On the face of it, it seems unlikely that the outcome of the present case would have been different, if the case had been decided under the new data protection laws. The most likely result would be that although damages may be awarded for “loss of control”, data subjects would need to demonstrate material damage or distress on an individual basis. As we say, however, the fact that the Lloyd case was decided under the old law does leave the point open for future argument.
To sum up, although the case of Lloyd v Google has been decided under the old DPA’98, the examination of the right to compensation and Lord Leggatt’s analysis of the provisions of DPA’98 is still likely to be relevant for those seeking to recover compensation under the new DPA’18, as the principles are largely the same. There is, however, some ambiguity over whether the GDPR and, particularly, the reference to damages for “loss of control” of data in Recital 85 of the GDPR introduces a lower bar for claimants to be awarded damages without proof of material damage or distress.
There also remains the possibility of being awarded damages for the tort of misuse of private information for loss of control of that information but claimants may find that the nature of information involved in a data breach is such that this is not a route open to them.
Ultimately, claims for damages following a data breach will continue to be very fact specific. Data controllers will have welcomed the outcome of the decision in Lloyd as it will almost certainly have prevented an avalanche of group action style compensation claims under the GDPR and the DPA’18.
That is, of course, not to say that data breaches are no longer actionable, just that the claimants will need to be able to show that they should be awarded damages in each individual case rather than relying on a blanket rule automatically entitling each claimant to damages just because there has been some kind of personal data breach.
If you have any questions arising out of the Supreme Court’s judgment in Lloyd v Google or its practical implications for data controllers, please contact Marianna Ryan or any other member of our Intellectual Property team.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.