Opt-Out Representative Claim for in excess of £3billion refused permission to proceed

The Supreme Court has today (10 November) delivered its much-awaited decision in the high profile case relating to damages for breaches of data protection laws between internet giant Google and former Which? Director and consumer activist, Richard Lloyd.

According to specialist lawyers at Irwin Mitchell, the unanimous decision of the Supreme Court to overturn the Court of Appeal’s ruling provides some clarity on what individuals can claim as damages for breaches of data protection law, and will have significant implications for organisations and individuals.

The landmark case centres on Mr Lloyd who brought a representative action against Google on behalf of more than 4m iPhone users seeking damages for “loss of control” of personal data as a result of what has become known as Google’s Safari “workaround”.

Between June 2011 and February 2012 Google used a ‘workaround’ on Apple’s Safari browser allowing it to bypass Safari’s blocking of third party cookies and therefore collect and use the individual’s browser generated information.  Mr Lloyd alleged that this meant that Google was in breach of the Data Protection Act 1998 and that he and the other 4m iPhone users were entitled to damages for the loss of control of their data.

Whilst the core issue centred on a preliminary application by the claimant Lloyd for permission to serve representative proceedings “out of the jurisdiction” on Google’s Delaware incorporated headquarters, in reality, it looked at two key questions.   First, it considered whether a representative action could be brought on behalf of millions of affected individuals on an “opt-out” basis and secondly whether damages were available for a “loss of control” of an individual’s personal data if they hadn’t suffered any other losses such as financial loss or distress.

The Supreme Court decided that an opt out representative action couldn’t be brought in these circumstances as it is necessary to consider the damage suffered by each individual on a case by case basis as each member of the class of claimants may have had their rights infringed in differing ways and to different degrees.  This is consistent with what DCMS decided in their consultation on group actions in data protection claims earlier this year, specifically stating there was no appetite to create new opt-out representative actions for statutory breaches due to insufficient evidence of systemic failings and the potential to outweigh benefits for data subjects with a hugely disproportionate detrimental effect on businesses and organisations, as well as the ICO and the judicial system.

The Supreme Court decided on the second point that to be able to claim damages an individual had to not only show that there had been a breach of data protection laws but also that it had resulted in damage.  Any breach of data protection law didn’t automatically give rise to damages because the individual had “lost control” of their personal data.

Expert Opinion

“This judgment will mean that businesses can breathe a sigh of relief that they won’t be faced with a damages claim every time they are in breach of data protection laws. It makes it clear that for damages to be recoverable, not only does there have to be a breach but there also has to be damage.

“This will be welcomed by businesses, especially at a time when the rise in cyber attacks sees no signs of abating and businesses are faced with claims for damages arising from issues such as privacy notices missing minor pieces of information or minor breaches of the rights of individuals.

“The ICO – the UK’s data protection regulator had made representations in the case and argued that a ‘loss of control’ of personal data should give rise to damages (provided it wasn’t de minimis) without evidence of any financial loss or mental distress. Interestingly, the UK Supreme Court rejected this argument and made it clear that while individuals have certain data rights under the data protection regime then and now, ‘control’ of their data is not one of them.

“What will be interesting to see is whether potential claimants and their advisors now look afresh at whether they can structure opt-out representative claims based on the tort of misuse of private information – although this has some exacting requirements that they may not be able to meet. However for now any actions pending which have pleaded ‘loss of control’ alone as requiring compensation under data protection legislation have had the gates firmly closed on them.

“The Supreme Court decision is consistent with some other recent decisions that make it clear that breach of data protection laws doesn’t automatically mean financial compensation for individuals. In a recent case where an encrypted email had been sent to the wrong recipient and promptly deleted the court made it clear that in this day and age ‘no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.’

“Whilst this decision is helpful for businesses it won’t put the issue of data protection claims to bed since it related to a claim under the Data Protection Act 1998 and there are already comments that it would be different under GDPR. Whilst GDPR (and UK GDPR) give greater rights to individuals, in my view Article 82 still requires a breach followed by damage and so this decision is still relevant. I suspect, however, that this will not be the last we hear about “loss of control” and data protection damages claims.” Joanne Bone - Partner