Breaking News: Google’s £3bn Supreme Court Reprieve

Published 10 November 2021

The Supreme Court has this morning handed down its judgment in the matter of Lloyd v Google LLC [2021] UKSC 50, finding in favour of Google. With damages that could have amounted to £3bn, and legal costs estimated at £27.5m, the significance of this decision and its implications for the cyber and privacy litigation landscape in the UK is enormous.

In handing down its decision, the Supreme Court was clear that the claim against Google was not able to succeed for two reasons. First, Lloyd needed to establish that damage had been suffered in order to claim compensation under section 13 of the Data Protection Act 1998 (“DPA”). That is distinct from a mere contravention of the Act. Second, in order to assess compensation under section 13, it would be necessary to consider matters such as over what period time Google tracked individuals, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence of any of these matters, an individual is not entitled to compensation.

It was held unsustainable to fail to particularise that Google’s allegedly unlawful conduct caused financial damage or distress. Consequently, permission was rightly refused by the Judge. With its decision, the Supreme Court has prevented an opt-out data protection class action from proceeding against Google LLC in the UK. In doing so, the judgment is aligned with the Government’s previous decision against implementing an opt-out regime for data protection claims under Article 80(2) EU GDPR.

The metaphorical floodgates of data protection class actions have been held shut by the Supreme Court. However, the decision is, to some extent, contrary to the direction of travel in other jurisdictions although it will come as a welcome relief to organisations of all sizes, and their insurers. Given the frequency and breadth of cyber incidents which organisations suffer, and privacy laws they can fall foul of, from malicious cyber-attacks to the unintentional misuse of cookies, it is difficult to overemphasize the significance of this judgment.

Background

Readers will recall that in 2017, Lloyd issued a claim in the High Court alleging that Google LLC (“Google”) had breached its duties as a data controller to a class of over 4m Apple iPhone users during the period 2011-12, when Google collected and processed browser generated information.

Lloyd’s claim alleged that Google had acted in breach of the DPA by wrongly tracking the internet use of Apple iPhone users for commercial purposes and sought £750 in damages per claimant (a total of £3bn for the full class of 4m affected users).

Lloyd needed the Court’s permission to serve Google with the claim in the US, in order to proceed with the claim.

Google’s position was that permission should not be granted because the pleaded facts did not provide a basis for claiming compensation under the DPA and that the claim should not continue as a representative action. At first instance, the then Justice Warby found in favour of Google, preventing the claim from continuing.

However, the Court of Appeal overturned Warby’s decision and granted Lloyd permission to serve proceedings on Google in the US. The Court of Appeal held that a claimant can recover damages for loss of control of their personal data without proving distress or pecuniary loss. The Court of Appeal did not need to express a view on the quantum of those damages in order to permit the claim to proceed, but interestingly it did note that tariff based “user damages” were at least fairly arguable. Further, the Court confirmed that members of the class of 4m iPhone users did have the same interest and were identifiable, as required under Civil Procedure Rule 19.6(1), which provides for representative actions for parties bearing the same interest.

Following the Court of Appeal’s decision, Google was granted permission to appeal to the Supreme Court in March 2020, and the hearing took place in April this year.

The Issues

The Supreme Court was asked to consider whether Lloyd should have been refused permission to serve his representative claim on Google in the US given that:

(i) members of the class of 4m users had not suffered ‘damage’ within the meaning of section 13 of the DPA;

(ii) Lloyd was not entitled to bring a representative claim because the members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or

(iii) because the court should exercise its discretion to direct that Lloyd should not act as a representative.

The Decision

The Supreme Court allowed the appeal, finding in Google’s favour. In the simplest terms, the Claimants had not suffered ‘damage within the meaning of the DPA. Lord Leggatt’s concluded that:

“…section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned.”

In handing down the Supreme Court’s decision, Lord Leggatt stated that the claim should not be able to proceed for two reasons:

(i) Compensation cannot be claimed under s13 Data Protection Act 1998 for a contravention of the Act however serious in and of itself, but only where it is established that an individual has suffered damage as a result of the contravention. ‘Damage’ refers to material damage such as financial loss or distress, which is distinct from, and has been caused by, a contravention of the DPA.

(ii) In order to assess the entitlement to compensation, it would be necessary to assess the actions by the data controller (such as how long the data was unlawfully processed, what type of data, and what commercial benefit). In the absence of any evidence about any of these matters, an individual is not entitled to recover compensation.

Conclusion

A number of class actions, against Marriott, Facebook and YouTube, for example, had been stayed pending the Supreme Court’s decision in Lloyd v Google and we will watch with interest how those claims unfold. It seems reasonable to conclude that privacy and consumer rights campaigners will argue that the judgment inhibits the enforcement of individuals’ data protection rights given the costs associated with individual privacy claims.

This ground-breaking judgment will also feature at our upcoming Data Protection & Cyber Conference on 6 December 2021 where we have the timely privilege of being joined by The Rt Hon. Lord Justice Warby as our keynote speaker. For those who are yet to register for the event, please click here.

For anyone wishing to register to receive one of our chocolate-filled advent calendars, please click here.