Hill Dickinson

Legal News | 09/02/22

The dispute involved former director of consumer watchdog ‘Which?’, Mr Lloyd against Google LLC alleging breach of duties as data controller under the Data Protection Act 1998 (DPA). Mr Lloyd alleged that Google had been secretly tracking online activity of millions of iPhone users and had used the data for commercial purposes without the users’ knowledge/consent. He sought to bring the claim acting as representative for all individuals affected. Compensation of £750 was sought in respect of each individual, which would result in a total damages order of £3 billion if successful.

As Google is a Delaware corporation, Mr Lloyd required the court’s permission to serve the claim form on Google. The Supreme Court refused permission, effectively preventing the claim from proceeding. It held that the DPA cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention without the need to prove material damage or distress to the individual and therefore the claim was ‘doomed to fail’. Further, it was held that a representative action is not a suitable vehicle for claims of this nature where damages were not identical on the basis that individual class members would not be participating in the action.

The judgment has been held as a resounding victory for UK business in the wake of recent concerns as to the emergence of a ‘compensation culture’ surrounding low-value and/or minor infringements of data protection law. Data protection claims for loss of control of data have been squarely shut down.

1. The judgment does not prevent group actions entirely moving forward, but rather adds some interesting clarity on the restrictive approach that the courts will adopt. The court did not state that Google could not be liable for damage caused to groups of consumers, but the damage claimed must be material and the losses sustained by each individual were not uniform and would differ.

2. Future representative claims may involve a class action. Claimants bringing class actions have tended to rely on group litigation orders to pursue their claims. As they are ‘opt-in’ (i.e. where individuals have to take active steps to join the claimant group) they can be a less favourable option for claimants as the economics and administrative burden are far less advantageous.

3. Very significant difficulties exist for claimants in bringing ‘opt-out’ class actions (such as in this case). Although there are fewer hurdles for claimants to overcome and the group of people represented may be far wider, this makes them a greater financial risk for businesses both in terms of the potential frequency with which such class actions may be commenced and their scale.

4. Representative claims remain an option for litigants, but in the light of this judgment, it is difficult to see how damages claims of this nature can easily avoid the individualised assessment discussed in this case. Accordingly, in many instances it is unlikely to be financially viable for individual claimants to pursue their claims.

Litigation funders are also now less likely to be attracted to representative claims although some claims such as product liability where all class members received the same product, with the same defect which diminished its value could still be of interest.

All data controllers will undoubtedly have breathed a sigh of relief with this decision, as it is hard to see how actions can now be brought for a data breach. While this claim was brought under the DPA 1998, the effect is likely to apply equally to claims under the GDPR and Data Protection Act 2018.