Lloyd v Google: Verdict Arrives for History-Making Court Case
12 November 2021
International tech giant Google came under fire this week, at the hands of former director of Which? Magazine, Richard Lloyd. In a battle over the consumer rights of 4.4 million iPhone users, Google and Mr Lloyd found themselves in the courts this week, awaiting the verdict on a case with the potential to cause a powerful ripple effect for the corporate giants of this world. While this case had the capacity to stir countless industries, the final verdict was less a tremor and more a gentle breeze for the search engine giant.
To explain, it helps to take it from the beginning.
On Wednesday the UK Supreme Court formally announced the long awaited result of the “Lloyd v Google judgment”. This was a case under the pre-GDPR data protection laws, but is an impactful case for the possibility of class actions in England and Wales, and on what basis you can claim compensation for breaches of data protection law.
What was the case about?
The claim was brought by Mr Lloyd (a consumer rights activist and former director of Which? Magazine) who acted as a representative for an estimated 4.4 million iPhone users. It was funded by a litigation funder, Therium.
The heart of the case revolved around a workaround used during 2011 and 2012, which allowed Google to collect information about iPhone users’ activity using cookies without the users’ knowledge or consent. Mr Lloyd argued that these people should be compensated for the “loss of control” of their data under the Data Protection Act 1998 (DPA 1998). Simple stuff.
To address this, there were several important issues which needed to be decided by the courts:
First, the court needed to decide whether it was possible for Mr Lloyd to represent the 4 million iPhone users (this is called a representative action) – and in particular:
- Whether the group shared the “same interest”, which is a requirement for a representative action.
- Whether it needed to be possible to reliably identify who was in the group.
To add to this, if the answer to these questions was yes, it was then to be decided whether the court could use its discretion to refuse the claim anyway.
Finally, the court needed to assess whether section 13 of the DPA 1998 allows people to claim compensation for “loss of control” of their personal data, without having to show any financial loss or distress. This is because there is no reference to this phrase in the law itself.
What has happened so far
Back in 2018, the High Court was unimpressed by Mr Lloyd’s arguments, and decided that Mr Lloyd couldn’t represent the group because the group didn’t share the “same interest” and it wasn’t possible to reliably identify them. Strike one. Secondly, the courts decided that even if this wasn’t the case, the court would exercise its discretion to refuse the case. Strike Two. Finally, the group represented by Mr Lloyd didn’t suffer damage under section 13 DPA 1998. Strike three.
This decision was overturned by the Court of Appeal however, who saw it as a question of access to justice and (controversially) decided that Mr Lloyd could represent the group because they were identifiable and did have the “same interest”. With that in mind, the Court of Appeal opted not to exercise its discretion to refuse the case, and advised it was possible for a court to award compensation for “loss of control” of personal data without claimants having to show financial loss or distress.
The verdict: was it possible for Mr Lloyd to bring a representative action?
In typical lawyer fashion, the answer is: in theory, yes, but not in the way Mr Lloyd had hoped to.
The Court said that a two-stage process could have worked, where Mr Lloyd brought a representative claim to establish whether Google was in breach of the DPA 1998, and asked for a declaration from the court that anyone in the group who suffered damage because of it is entitled to compensation. The individuals would then have to claim those damages individually. However, this is not what happened in practice – Mr Lloyd brought the representative claim all in one go.
The reason for the Court’s decision was that, although the group shared the “same interest” (as their interests did not conflict with each other’s) and the people within the group could be identified, the amounts of compensation each person would be due would be different and therefore needed to be individually assessed.
A two-stage approach likely wouldn’t have worked in practice, because:
- The case was funded by a litigation funder, who would be unlikely to fund a case where the best possible outcome would be getting their money back.
- After the court’s declaration, each of the individuals would have needed to become aware of the case, pay for lawyers to establish whether they were within the group and give them appropriate legal advice, before even taking it to court, which would likely have cost more money than they could claim in compensation.
What about the court’s discretion?
Because the court decided that the representative action wasn’t possible, it didn’t need to decide whether to use its discretion to stop the claim from proceeding.
However, the court did indicate that if a representative action was possible, it could only exercise its discretion to stop it from going forward if this would mean the case being dealt with more fairly and at proportionate cost. As a big reason for bringing a representative action is to cut costs for the group being represented (who would otherwise need to bring their own separate claims), it is unlikely a court would be able to decide to stop a representative action using this discretion.
Can you get compensation for the “loss of control” of your personal data under section 13 DPA 1998, without proving you have suffered financial loss or distress?
The wording of section 13(1) DPA 1998 sets out that individuals have a right to claim compensation “where they have suffered damage as a result of a breach of the Act by a controller”.
Mr Lloyd was arguing that “loss of control” (a phrase used in another, similar area of law) should also be something people could get compensation for under section 13(1) DPA 1998 (which doesn’t include the phrase). He suggested that the word “damage” includes both distress and loss of control over personal data as well as financial loss.
The Court concluded that it could not reasonably be interpreted as giving individuals a right to compensation for breaches of the DPA 1998, without needing to prove that the breach caused material damage or distress to that individual.
What does this mean for me?
If you’re a company which processes personal data, this is probably good news for you, as it makes it harder for people to bring claims against you. Off the back of the Court of Appeal’s judgment, there were a number of representative actions started against various companies after large-scale data breaches, which have been waiting for the results of this case. It remains to be seen whether any of them will now succeed following the Supreme Court’s decision.
If you’re an individual whose personal data rights have been breached, it is likely to be difficult for you to bring a claim unless you have suffered material damage (e.g. financial loss) and/or distress, and you would be unlikely get enough compensation to justify the amount you’d need to spend on legal fees.
What’s your favourite thing about your current job? I’m torn between the people…
What do you remember most about your first job? My first job was a Saturday job, working the till…
Farewill provides end of life services, such as will writing, funerals and probate support…