Lloyd v Google: What DPOs need to know

Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation. 

The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998. 

Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.

The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.

The Supreme Court  rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actually occurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.

This case was decided under the DPA 1998.  Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.

The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

(Probably) The First Group Action For Damages under the Data Protection Act

In December 2013 a group legal action was settled against the London Borough of Islington following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, partner at Hodge Jones & Allen LLP, and Ruth Brander, counsel from Doughty Street Chambers, acted for the claimants.

Anna explains the background and legal basis for the claims below:

Hodge Jones & Allen LLP & Doughty Street Chambers acted for 14 Claimants in a Group Action against the London Borough of Islington after it leaked their personal data to unauthorised third parties on two separate occasions in 2012.

The First Breach – April 2012

In April 2012, Islington Council sought injunctions against thirteen youths for anti-social behaviour. The injunctions were served on ten of these between 20th and 24th April 2012. On 26th April it became known to the council that personal information regarding residents who had made complaints about anti-social behaviour had been disclosed to the injunctees. An unredacted spread sheet of Anti-Social Behaviour (ASB) Hotline calls and concierge reports had been included. These contained complaints from 50 individuals. In many cases this included the name, telephone number and estate/street name.

The police retrieved seven out of the ten injunction packs issued to the individuals. The police also warned the injunctees that they should not use the information to contact any witness. In the immediate aftermath, there was a police presence on the Andover Estate and some residents moved from their properties to new locations.

An Information Commissioner’s Office (ICO) investigation was instigated and various recommendations made. The Council agreed to a voluntary inspection rather than a monetary fine. 

The Second Breach – 26 June to 14 July 2012

Whilst responding to a Freedom of Information Act request on the website ‘What Do They Know,’ the Council sent an Excel spreadsheet containing details of housing allocations to an organisation called mySociety. The spreadsheet included sensitive personal data on people offered social housing by the Council. This included their name, address, gender, ethnicity, religion, sexuality, relationship status and assessment of housing priority needs. Over 2,400 residents were affected.

Between 26 June and 14 July 2012, there were 7 download requests on this website. It is not possible to know whether any of the people downloading this information accessed the Excel spreadsheets containing this highly personal and sensitive information.

Following this breach there was an ICO investigation and the Council was fined £70,000. This was in addition to the compensation paid to the individual Claimants.

The Claims

We acted for four Claimants affected by the first breach, eight Claimants affected by the second breach and two Claimants affected by both breaches.

The Claimants’ principal claims were for stress, distress and frustration. Some Claimants believed the breach exacerbated existing psychological or psychiatric conditions. Very few Claimants had incurred financial losses arising from the Council’s breaches.

Around April 2013, Letters of Claim were sent to the Council for each Claimant alleging a breach of the Data Protection Act 1998 and Human Rights Act 1998 following a breach of Article 8 ECHR (the right to family and private life).

The parties entered into a limitation standstill agreement in respect of the Human Rights Act claim. Under section 7(5) of the Human Rights Act 1998, a claim must be brought before the end of the period of one year beginning with the date on which the act complained of took place or such longer period as the court considers equitable having regard to all of the circumstances. This was the best way to preserve the Claimants’ position without issuing court proceedings.

At the conclusion of the Council’s Pre-Action Protocol Investigations, they admitted liability in July 2013 for breaches of the Data Protection Act and Article 8 ECHR for all but one of the Claimants. In relation to this Claimant, they advised that the Claimant had been erroneously informed that their data had been breached, when in fact it had not. The Council made Part 36 offers in settlement to all Claimants ranging from £500 to £5,000.

Following settlement negotiations, all claims settled in December 2013 without the need to issue court proceedings. The Claimants were awarded over £43,000 in compensation. The awards ranged from £1,000 to £5,000 depending on how the breach impacted on each Claimant.

As part of the terms of settlement, the Council provided an unreserved apology and provided a detailed letter to each Claimant outlining how the breach happened, how it was discovered, the changes made subsequently and lessons learnt. All of the Claimants’ cases were funded under Conditional Fee Agreements under the pre 1 April 2013 regime.

Thoughts on the Case

It was clear from the outset that there had been a breach of the Data Protection Act, but in order to be entitled to compensation under section 13(2) a Claimant must suffer damage.

The difficulty with these cases is that many of the Claimants were unable to establish a financial loss or a personal injury arising from the Council’s contravention. This issue was not explored in depth during litigation given the Council’s early admission of liability and Part 36 offers in settlement, but the case of Halliday v Creation Consumer Finances [2013] 3 CMLR 4 would have assisted the Claimants on this point.

In this case, the Court was prepared to award nominal damages of £750 for distress to reflect a breach of the Data Protection Act, even if there was insufficient evidence to establish a substantial breach. The Court did not penalise the Claimant for being unable to establish a financial loss arising from the breach. The Claimants’ cases are clearly analogous and this case also provided some helpful guidance on the level of compensation the Courts may award depending on the facts of the case.

Another factor which potentially led to early settlement is that Article 8 ECHR does not have the same requirement as the Data Protection Act to establish ‘damage,’ although there is very little case law on the level of damages the Court may award in this type of case. Traditionally compensation for breaches of the Human Rights Act have been less generous than compensation awarded by the domestic courts.

It would also be interesting to see if the Council’s approach would have changed if the claims were brought on the basis of the Data Protection Act alone or outside the time limits for a Human Rights Act claim.

However, these cases clearly demonstrate that a failure to comply with the Data Protection Act 1998 and/ or Article 8 ECHR will be at a Defendant’s peril. This was an extremely costly mistake for the Council, who failed to learn from their mistakes and breached the Data Protection Act 1998/ Article 8 ECHR not only once but twice in as many months.

It is hoped that, following the ICO investigation and litigation, the same mistakes will not be made again. A clear message has been sent to Public Authorities of the potential consequences of failing to comply with their obligations to safeguard citizen’s personal data. This case also shows how Data Controllers can be held accountable for their actions.

Keep up to date with the latest DP developments by attending our workshops and online courses.

Exit mobile version