• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Damages for inappropriate harvesting of personal data

Lloyd v Google (Supreme Court) [2021]

Data controllers and their data processors spend many hours discussing the allocation of risks arising from GDPR breaches. Partly, this is because of the huge potential financial risks involved both from fines and large damages claims, particularly where large numbers of data subjects are affected. This case perhaps offers some re-assurance that the courts are willing to limit applicable damages in appropriate cases and suggests that representative class actions involving many thousands of claimants will not be quite as attractive as some may have thought / feared.

Facts:

Section 13 of the Data Protection Act 1998 (’DPA 1998’ - the legislation that preceded the latest DPA 2018) provided that:

“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.

A previous case had decided that under this provision a claimant could claim for material damage such as financial loss or distress (but, in the latter case without also having to establish financial loss).

Between August 2011 and February 2012 Google allegedly used a small piece of software known as a cookie to bypass privacy settings on Apple iPhones enabling it to track and record the online behaviour of millions of Apple iPhone users in the UK without their knowledge or consent. It sold the aggregated data for commercial purposes to subscribing advertisers in connection with targeted advertising. Mr Lloyd alleged, amongst other things, this was in breach of section 4(4) of the DPA 1998 (which imposed a general duty on data controllers to comply with “the data protection principles”) and, specifically, the first (fair and lawful processing) and second (obtained and processed only for specified and lawful purposes) principles. The claimant argued that the word “damage” in section 13(1) included damage for “loss of control” over personal data. The claimant did not allege he had suffered any direct financial loss nor that he had suffered distress.

Mr Lloyd’s claim was also unusual because it was brought as a ‘representative action’. Mr Lloyd was the only named claimant, but the claim was stated to be brought on behalf of others on a US-style opt-out basis (whereby individuals who qualify as part of a discrete ‘class’ are automatically deemed to benefit from the claim unless they opt-out). He claimed to be entitled to represent and recover damages on behalf of everyone resident in England and Wales who owned an Apple iPhone on which the cookie in question was placed at the relevant time. The estimated number of eligible claimants being more than 4 million Apple iPhone users.

If damages needed to be assessed on an individual, case by case, basis, it was accepted that a representative action would not work. To circumvent this, Mr Lloyd argued that damages could be awarded on a "uniform per capita basis" to each member of the claimant class without the need to prove any facts particular to that individual. The amount proposed was £750. Had the claim been successful on this basis, damages would have totalled about £3 billion. Alternatively, each member of the class could be awarded damages (again on a uniform per capita basis) as a hypothetical amount which they could reasonably have charged for allowing Google to use their personal data.

Decision:

Held:-

The claim failed because Mr Lloyd had not proved either financial loss or distress.

"Loss of control" damages do not fall within the ambit of section 13 of the DPA 1998. A claim for damages under the DPA 1998 requires proof of either material damage or distress, which has to be distinct from, or caused by, the unlawful processing.

The representative action was not appropriate because the court said it would have to consider the extent of the unlawful processing for each individual separately.

Damages on a hypothetical licence fee basis did not fall within section 13 of the DPA.

Points to Note:

• This is almost certainly not the end of the story so far as collective claims for data protection breaches is concerned but it does reduce the scope for such claims.
• Article 82(1) of the UK GDPR is similar to section 13 of the DPA 1998 and provides that:
  

  "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have a right to receive compensation from the controller or processor for the damage suffered". Recital 85 of the UK GDPR expressly cites "loss of control" as an example of non-material damage caused as a result of a personal data breach, so whether the outcome would have been the same under the UK GDPR remains open.

• The court itself mentioned the possibility of a two stage litigation process for future representative claims. Under the first stage the principle of liability would be considered. If the representative claimant successfully passed that hurdle, the second stage would then assess the quantum of individual claims. It will be interesting to see if future representative actions proceed on this basis or whether another mechanism such as Group Litigation Orders become more prevalent. However, most commentators seem to think that the two stage process would be significantly more costly and far less attractive for litigation funders who, as in this case, had funded the action.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com