In what is no doubt the landmark authority in the field of representative data breach class actions in the UK, the Supreme Court has this morning handed down its long-awaited judgment in Lloyd v Google LLC (“Google”), finding in favour of Google.
Crucially, the Supreme Court confirmed that an award of compensation for a breach of the Data Protection Act 1998 (“DPA”) could only be made where a data subject has suffered material damage, such as financial loss or distress. As proof of financial damage or distress was not established in the instant case, the Supreme Court concluded that the claim was not suitable to proceed as a representative action under Civil Procedure Rule (“CPR”) 19.6, as compensation for the alleged breaches of data protection law would need to be individually assessed.
In this blog we consider the implications of this judgment for future representative data breach actions in the UK.
The claim was brought by Richard Lloyd and alleged that Google breached its duties as a data controller under the DPA to over four million Apple iPhone users between April 2011 and February 2012, when Google collected the users’ browser generated information “with a view to commercial profit”, without their knowledge or consent, under what is commonly referred to as Google’s “Safari Workaround”.
In May 2017, High Court representative proceedings were commenced by Mr Lloyd pursuant to rule 19.6 on an ‘opt-out’ basis, on behalf of all individuals who used particular versions of Safari on their iPhone and did not change the default security settings. The claim posited that each member of the class was entitled to compensation under section 13 of the Data Protection Act (“DPA”) for the infringement of their data protection rights, the commission of the wrong and the loss of control over their personal data.
As Google is domiciled in the United States, Mr Lloyd required permission to serve the company with the claim outside of the jurisdiction. At first instance, permission to serve out was refused, as it was said by the Court that the claim did not disclose a basis for seeking compensation under the DPA because the claimant and other members of the class had not suffered damage within the meaning of section 13. The High Court also held that the requirements for a representative claim were not satisfied, and it was said that the claim had no real prospect of success.
Permission to appeal to the Court of Appeal was granted to Mr Lloyd. The Court of Appeal came to a different conclusion to the High Court and held that damages are capable of being awarded for loss of control of personal data without the claimant having to establish financial loss or distress. On that basis, the Court of Appeal stated that a claim could be brought under CPR rule 19.6 because each of the individuals that Mr Lloyd was seeking to represent was identifiable and had the “same interest”.
Google subsequently appealed the Court of Appeal’s judgment.
Supreme Court judgment
The Supreme Court’s judgment found in favour of Google, in a blow to hopes that this judgment would open the door for similar mass data breach claims, concluding that: “Section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned”.
The Supreme Court held that Mr Lloyd’s claim against Google could not succeed for the following two reasons:
- First, section 13 of the DPA requires that damage be suffered by data subjects in order for compensation to be awarded. The damage in question must be material damage, such as financial loss or distress.
- Second, there were a series of questions that remained unanswered (such as whether there was a commercial benefit to Google, and for how long the data was unlawfully processed by Google), and in relation to which no evidence had been proffered. In the absence of evidence on the above issues, the claimants could not recover any compensation.
Moreover, the Supreme Court also found that the claim raised against Google was not viable as a representative action for damages under r.19.6, emphasising that for a representation action to be brought on behalf of each of the claimants, Mr Lloyd would need to demonstrate that each of the alleged affected individuals had both suffered a breach of their rights and also suffered damage as a direct result of that breach.
What are the implications of the Supreme Court’s judgment?
The Supreme Court has unanimously rejected the Court of Appeal’s finding that damages are capable of being awarded for loss of control of personal data without the claimant having to establish financial loss or distress. Instead, it is clear that affected data subjects must be able to demonstrate that they have suffered some form of material damage, such as financial loss or distress.
This judgment is likely to deliver a blow to other similar mass data breach representative actions (such as the TikTok representative action which we previously discussed here) that had been placed on hold, pending the handing down of the Supreme Court’s judgment in Lloyd v Google LLC.
Although it had been hoped by data subjects and consumers alike that the Lloyd v Google LLC case would open Pandora’s Box for mass data breach claims, it is expected that we will see fewer of these types of claims as a result of the Supreme Court’s judgment, much to the relief of data controllers and their insurers. No doubt such claims have suffered a grievous blow by this judgment, ‘down’ undoubtedly but not yet out completely.
Edwin Coe has been litigating class action claims for over 30 years. If you have any questions arising out of the Supreme Court’s judgment in Lloyd v Google or its practical implications for the class action regime, please contact David Greene, Zahira Hussain, or any other member of our Class Action and Financial Litigation team.
 Lloyd v Google LLC  UKSC 50
 Lloyd v Google LLC  WCA Civ 1599
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.