Lloyd v Google LLC [2021] UKSC 50: UK Supreme Court Holds That "Loss Of Control" Of Personal Data Is Not Compensable Per Se

Published date21 December 2021
Subject MatterLitigation, Mediation & Arbitration, Privacy, Data Protection, Trials & Appeals & Compensation
Law FirmArthur Cox
AuthorMr Richard Willis and Olivia Mullooly

In a seminal judgement that is set to alter the landscape of non-material damage claims in the UK and beyond, the UK Supreme Court on 10 November in Lloyd v Google LLC [2021] UKSC 50 rejected the idea that non-material breaches of the Data Protection Act 1998 (the "DPA 1998") entitle claimants to compensation for "loss of control" of their personal data.

The DPA 1998 has since been replaced by the UK General Data Protection Regulation supplemented by the Data Protection Act 2018, but was in force at the time of the alleged breaches by Google. The decision comes in the wake of a number of preliminary references to the Court of Justice of the European Union (the "CJEU") by Austrian and German Courts under Article 267 TFEU on the interpretation of Article 82 of the GDPR, and sets the tone for a new line of jurisprudence in increasingly prevalent data protection claims.

Background

Richard Lloyd, prior executive of Consumers International and Which? filed a representative action against Google in 2017 on behalf of over 4 million Apple iPhone users (the "Claimants") alleging that Google had breached its duties as a data controller under the DPA 1998 in a period between 2011 and 2012. Lloyd, who runs the 'Google You Owe Us' campaign, on behalf of the Claimants, accused Google of bypassing the privacy settings on Apple's iPhone Safari browser to track iPhone users' internet activity including time spent on relevant websites and advertisements viewed with an aim to targeting advertising, without the users' consent. Google disabled the 'Safari Workaround' after The Wall Street Journal broke the story in early 2012 and was fined $25m by the Federal Trade Commission in the US later that year.

In the wake of this fine, the Court of Appeal of England and Wales in Vidal-Hall v Google Inc. [2014] EWHC 13 (QB), paved the way for Lloyd when they ruled that three users could sue Google in the UK for damages for breaches of their individual privacy rights by the 'Safari Workaround'.

In the present case, Lloyd sought permission from the UK courts to serve the claims on Google LLC in the US. In this claim, Lloyd sought confirmation that:

  1. the DPA 1998 allowed for compensation to be paid to claimants for loss of control of their personal data without the need for identification of specific financial loss or evidence of material damage and distress; and
  2. a representative action under Rule 19.6 of the Civil Procedure Rules (the "CPR") could proceed on behalf of 4.6 million identifiable members with the "same interest".

Google LLC opposed the application on the grounds that:

  1. damages cannot be awarded under the DPA 1998 without proof that a breach caused an individual to suffer financial damage or distress; and
  2. the claim was not suitable to proceed as a representative action.

The claim was initially refused by the UK High Court in October 2018 on the basis that "vindicatory" damages could not be awarded where it could not be shown that material damage or distress...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT