On 10 November 2021, the Supreme Court unanimously agreed to overturn the ruling of the Court of Appeal in Lloyd v Google LLC  UKSC 50, consequently rejecting Mr Lloyd’s claim against Google in connection with an alleged breach of their duties as a data controller under section 4(4) of the Data Protection Act 1998.
Mr Lloyd, with financial backing from a third-party litigation funder, had issued a claim against Google on behalf of 4.4 million iPhone users who were allegedly affected by a breach of data privacy between the years of 2011 and 2012.
Mr Lloyd claimed that Google had used a ‘workaround’ to bypass the cookie settings on Apple’s Safari browser, without the users’ knowledge or consent, to collect and use ‘browser generated information’ (BGI), which allowed Google to generate a profit by enabling advertisers to target their adverts to this audience. Mr Lloyd claimed each and every user had lost control of their BGI, and that as the BGI had a value, the users should receive damages for that loss of control.
Since Google is a US company, Mr Lloyd required permission from the courts of England and Wales to serve his claim outside the jurisdiction. Google disputed this and Mr Lloyd was initially refused the permission, before the decision was overturned in Mr Lloyd’s favour by the Court of Appeal.
On appeal to the Supreme Court, the court identified three issues for determination:
- Loss of control damages: whether damages can be awarded for a loss of control of personal data under s. 13 DPA 1998, even in the absence of loss or distress?
- Same interest: whether the group of individuals Mr Lloyd was claiming on behalf of were part of the same class and shared the same interest to pursue a claim in the courts of England and Wales?
- Discretion: whether the court should exercise its discretion to allow a claim to proceed as a class action on behalf of all of the individuals?
The Supreme Court’s judgment, led by Lord Leggatt, decided that Mr Lloyd’s claim against Google had no real prospect of succeeding outside the jurisdiction. Evidentially, Mr Lloyd’s representative action failed to satisfy point 1, as it was never shown that each individual data subject had suffered material damage or distress as a result of the unlawful use of their personal data.
Lord Leggatt said the difficulty with Mr Lloyd’s proposal of damages payable on a “uniform per capita basis” was that the effect of the Workaround was clearly not “uniform” across the Class, as some people would be heavy browsers of the internet, and therefore subjected to multiple data breaches. If liability were established, the ordinary application of the compensatory principle would result in different awards of compensation to different individuals.
The Supreme Court concluded in their judgment that it was not enough for Mr Lloyd to claim that each individual was entitled to be awarded damages based solely on proof of the breach, without evidence the breach had caused material damage or distress, and therefore Mr Lloyd’s claim was unsuccessful.
What this means for future cases
This judgment represents a leading authority on claims for damages in relation to data protection law, and will be welcomed by companies who control data. Had Mr Lloyd been successful in his bid, the floodgates could have opened for compensation claims under the UK GDPR and the DPA 2018, changing the way in which claims are brought in the UK and broadening their scope. Its ruling confirms that opt-out class action claims in England and Wales against global corporations, such as Google, are unlikely to succeed as individuals use the internet in different ways, with some being more exposed to multiple breaches than others and thus compensation cannot be established on a uniform basis.
For further details about our Business Law services, click here.