In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.
In 2018, Richard Lloyd issued a representative action against Google in relation to a ‘Safari Workaround’. See here for one of our earlier blog posts on this topic. In this case, Mr Lloyd alleged that the Safari Workaround allowed Google to track users’ activity and sell browser generated information to third parties without the users’ consent, by using DoubleClick tracking cookies on iPhones. The High Court refused to grant Mr Lloyd permission to serve proceedings on Google, resulting in the case being appealed to the Court of Appeal.
On appeal, the Court of Appeal overturned the High Court’s decision and allowed Mr Lloyd’s representative action against Google to proceed. The appeal court considered that “loss of data” was enough to give rise to damages, that the “same interest” threshold was met (as all affected class members had their browser generated information sold without their consent), and that preventing the claim would have essentially barred any other remedies for the class members.
Google was granted permission to appeal to the Supreme Court and the case was heard in April of this year (see Supreme Court case details here).
Supreme Court ruling
On 10 November 2021, the Supreme Court handed down its judgment in the case, rejecting Mr Lloyd’s representative action, ruling that the action could not be served on Google.
One of the central questions in this case was whether the loss of control experienced by the data subjects was enough to show they had suffered ‘damage’ under section 13 of the Data Protection Act 1998 (DPA 1998) (i.e., the predecessor to the GDPR). Section 13 DPA 1998 provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. In relation to this section, the court was keen to emphasise the need to demonstrate both a contravention and, separately, damage.
On this point, the court considered that loss of control would arise in any contravention of the DPA 1998, thus removing the requirement to demonstrate damage. The court therefore held that section 13 “cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject” (section 115).
Significance and future implications
In the United States, class actions are a common occurrence. In the United Kingdom, they have historically not been so popular. However, these types of actions have been developing in the UK in recent years, particularly in relation to data breaches, which often concern multiple data subjects. If the Supreme Court had upheld the Court of Appeal’s decision in this case, it would have set a precedent that could have potentially opened the floodgates for group litigations relating to data breaches.
With the decision to reject the claim, the Supreme Court has provided useful guidance on its approach to these kinds of representative actions. In particular, the ruling sets an important precedent that each claimant must show that they have personally suffered material damage as a result of the breach. The decision will be regarded as a positive development for data controllers and will likely be cited in arguments for the defence in many claims to come. It may also have the effect of reducing claims of this kind more broadly.
It should be noted, however, that this case related directly to the DPA 1998, which has since been replaced by the GDPR. There is, then, a question as to whether the decision is directly transferable; a question which the court expressly refused to discuss. In our opinion, like the DPA 1998, article 82(1) of the GDPR also draws a distinction between an infringement and damage, so this decision should be persuasive when interpreting such provision. However, unlike the DPA 1998, recital 85 GDPR uses loss of control as an example of damage. This suggests to us that we may see another attempt at this argument in the future.