The Supreme Court hands down judgment in Lloyd v Google

In a keenly anticipated judgment that has significant ramifications for UK data protection, the Supreme Court has today overturned the Court of Appeal's decision in Lloyd v Google and restored the original order made by the High Court, refusing the claimant's application for permission to serve proceedings on Google outside the jurisdiction.

RPC acted for techUK, one of the interveners in the appeal, which has welcomed the judgment as allowing individuals to exercise their rights in relation to data breaches, while also continuing to support the innovative capacity and competitiveness of the UK tech sector (read techUK's full statement here). In this article, we cover the key points arising from the judgment of Lord Leggatt (with whom the other justices agreed). 

For a summary of the background to the claim and the Court of Appeal's decision, please see our previous blog here. 

Monetary compensation 

The claimant’s case (which had been accepted by the Court of Appeal) was that an individual is entitled to recover compensation under section 13 of the Data Protection Act 1998 (the "Act") without proof of material damage or distress whenever a data controller fails to comply with any of the requirements of the Act in relation to any of that individual's personal data, provided only that the breach is not trivial or de minimis.  This was presented as "loss of control" or "user" damages; a lowest common denominator of loss suffered by each and every individual by reason of the breach.

Reversing the Court of Appeal's decision, the Supreme Court held that, to recover compensation, it is not enough to merely prove a breach by a data controller of its statutory duty under section 4(4) of the Act: an individual is only entitled to compensation under section 13 where "damage" - or in some circumstances "distress" - is suffered as a consequence of such a breach of duty.  It is therefore necessary to prove that the breach of the Act has caused material damage or distress to the individual concerned.  The claimant's construct of "loss of control" or "user" damages was rejected. 

Takeaway: In order to bring a claim for compensation for breach of data protection legislation, it is necessary for a data subject to prove that they suffered "damage" or "distress" – a contravention by a data controller of the requirements of data protection legislation alone is not sufficient.

Representative claim 

Lord Leggatt could see no legitimate objection to a representative claim brought to establish whether Google was in breach of the Act, and, if so, seeking a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation. However, the Claimant had not proposed such process given that success at the first stage would not itself generate any financial return for the litigation funders or the persons represented. Both courts below accepted that a representative action is the only way the claims could be pursued. 

Takeaway: A representative action remains an appropriate mechanism for seeking a declaration that each member of class has suffered damage and could also be used where each member of the class has suffered the same damage (although the latter is likely to be difficult in a data claim). 

De minimis threshold 

The claimant accepted that there is a threshold of seriousness which must be crossed before a breach of the Act will give rise to an entitlement to compensation. The Supreme Court held that the position that the claimant asserted in each individual case was not sufficient to surmount the threshold and held that it was "impossible to characterise such damages as more than trivial." 

Takeaway: The Supreme Court did not provide any further guidance on what constitutes a de minimis or trivial contravention of data protection legislation. There is likely to be further debate as to this threshold when claims are asserted against data controllers, although the mere fact of a breach will not be sufficient. 

Relevance of GDPR

The Supreme Court acknowledged that the parties and the interveners had made frequent references to the provisions of the General Data Protection Regulation and the DPA 2018 in their submissions but given that the meaning and effect of the DPA 1998 and the Data Protection Directive could not be affected by the subsequent legislation, it was not considered.

Takeaway: Although GDPR and the DPA 2018 were not considered capable of helping to resolve the particular issues raised on the appeal, given the wording of the provisions concerning compensation are substantively replicated in Article 82 GDPR, the Supreme Court's judgment will have future application. 

Comment

The Supreme Court's judgment will be warmly welcomed by data controllers who, following the Court of Appeal's judgment, were exposed to very significant potential liability arising from data claims, even if no specific damage was shown to have been suffered by any individual.

The judgment has firmly rejected the basis of this class action and many others that were waiting in the wings (some of which had been stayed pending handing down of this judgment). It is likely to have a very significant impact on UK industry across many different sectors that handle customer data, as well as the UK legal market, including claimant firms, litigation funders and ATE insurers.

Although the Supreme Court has left the door open for representative actions to proceed in relation to claims for breaches of data protection legislation, the rejection of the concept of "loss of control" damages and the requirement that individuals must prove they have suffered damage means that a representative action is unlikely to be a financially viable option for legal advisers and funders in most data claims.