Lawyers Say Supreme Court Ruling on Data Protection Group Actions Could Have Big Impact on Businesses

Last week the Supreme Court heard the appeal from Court of Appeal relating to the Lloyd v Google case.  This case looks at whether a class action can be brought for breach of data protection laws without claimants needing to prove any financial losses or distress and without having to have the agreement of everyone affected. The decision could potentially have major implications for companies which have a data breach or which face enforcement action from the ICO.

The case itself is being brought on behalf of 4.4 million iPhone users against Google’s alleged Safari workaround in which it bypassed Safari controls to track iPhone users without their consent between 2011 and 2012.

The key issues at stake are whether the Court of Appeal was right to allow a representative action to be brought without the agreement of each person affected and whether personal data per se has a value so that loss of control of it can lead to damages being awarded even if there is no financial loss or distress.

Lawyers at Irwin Mitchell say that if the Supreme Court upholds the Court of Appeal’s decision, then the potential claims against businesses that breach data protection laws could be eye watering.

Not only could data protection class actions be brought for millions of claimants but damages could be awarded for data protection breaches even if they have no financial impact and the data affected doesn’t cause distress.  A simple “loss of control” of personal data could lead to a pay-out.

There have already been a number of other privacy claims started against major social media companies. All have been stayed pending the outcome of this Supreme Court Decision.

The CBI and others have already warned of the negative impact such action could have on business in the UK and more widely, including overseas companies trading in the UK.

Expert Opinion

“Data protection has always been an important issue and one that has become ever more complicated given the implications and effects of Brexit.

“Businesses need to ensure that they take data protection seriously as failure to do so could not only lead to fines but also large pay-outs via the courts. We already see claims threatened following data breaches or other failures to comply with data protection laws. This case could really open the floodgates.

“Clearly people must be able to protect their data rights, but this could lead to a rise in cases with little intrinsic merit.

“Allowing US-style class actions could impact UK ambitions to be a centre for science and innovation post Brexit. The threat of such action is unlikely to encourage firms to do business in the UK when the penalties for breaches are already severe.

“The Information Commissioner’s Office (ICO) issued £42m in fines for data breaches in 2020, proving it is a regulator with teeth and adding in the prospect of large damages claims via representative actions would mean that businesses would face double jeopardy.” Joanne Bone - Partner