In a very clear judgment handed down on 10 November 2021, the Supreme Court has confirmed that, in order to claim compensation from an organisation which has breached its requirements as a data controller under the Data Protection Act 1998 (“the Act”), an individual must prove that the failure has caused material damage or distress to the individual concerned.
The case against Google
Lloyd v Google LLC was an appeal from the Court of Appeal. The case was brought by Richard Lloyd, who was claiming damages on behalf of all iPhone users over a period from 2011 to 2012 (without their express authority). In considering the case, the Supreme Court also received submissions from the ICO (Information Commissioner’s Office), along with several other interested organisations, such as the British Pharmaceutical Industry.
The GDPR and Data Protection Act 2018
The Data Protection Act 1998 has now been superseded by the General Data Protection Regulation and Data Protection Act 2018. However, the judgment may still be useful in assessing whether individuals may be able to bring claims under those laws.
Mr Lloyd alleged that, over a period from 2011 to 2012, Google had secretly tracked the internet activity of all iPhone users at the time for commercial purposes, without their knowledge or consent. He alleged that Google’s “DoubleClick Ad Cookie” was used to bypass the default settings of Apple’s web browser, Safari, and collect information relating not just to users’ internet surfing habits and location, but also their race, sexual interests and financial situation social class, amongst other types of personal data. It was further alleged that Google offered this information to advertisers, to help them target their adverts.
Mr Lloyd and the ICO argued that users’ “loss of control” over their personal data due to Google’s failure to comply with the Act constituted “damage” for the purposes of being entitled to compensation under the Act. Google sought to claim that the action had no real prospect of success, on the basis that damages cannot be awarded for loss of control under the Act without proof that it caused financial damage or distress.
The Lloyd v Google LLC decision
The claim failed. Lord Leggatt held that the claim had “no real prospect of success”, partly based on the following reasons:
- Section 13 of [the Act] cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned
- “damage” means something distinct from a contravention of the Act itself.
- [on] the claimant’s own case there is a threshold of seriousness which must be crossed before a breach of [the Act] will give rise to an entitlement to compensation under section 13. I cannot see that the facts which the claimant aims to prove in each individual case are sufficient to surmount this threshold
What does this mean for data controllers?
The case does not mean that organisations are free to gather personal data or apply cookies without users’ consent, or some other lawful basis. Other lawful bases include the performance of a contract with the user, or compliance with a law, to name a couple.
If you, as a data controller, breach data protection law, there is every risk that the individual(s) concerned will be able to prove they have suffered damage, and therefore may be able to bring a claim for compensation. Further, as the court explained, there is no need to show material damage or distress if damages are claimed for the misuse of private information (a separate cause of action to the Act).
Find out more