Covid-19 Update: We are continuing to provide our usual services whilst maintaining the safety of clients and colleagues. Read our latest update here.

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Supreme Court delivers judgment on whether iPhone users entitled to compensation

Posted on 12th November 2021 in Intellectual Property

Posted by

Oliver Kent

Trainee Solicitor
Supreme Court delivers judgment on whether iPhone users entitled to compensation

In a very clear judgment handed down on 10 November 2021, the Supreme Court has confirmed that, in order to claim compensation from an organisation which has breached its requirements as a data controller under the Data Protection Act 1998 (“the Act”), an individual must prove that the failure has caused material damage or distress to the individual concerned.

 

The Lloyd v Google LLC case

Lloyd v Google LLC was an appeal from the Court of Appeal. The case was brought by Richard Lloyd, who was claiming damages on behalf of all iPhone users over a period from 2011 to 2012 (without their express authority). In considering the case, the Supreme Court also received submissions from the ICO (Information Commissioner’s Office), along with several other interested organisations, such as the British Pharmaceutical Industry.

The Data Protection Act 1998 has now been superseded by the General Data Protection Regulation and Data Protection Act 2018. However, the judgment may still be useful in assessing whether individuals may be able to bring claims under those laws.

 

The Lloyd v Google LLC facts

Mr Lloyd alleged that, over a period from 2011 to 2012, Google had secretly tracked the internet activity of all iPhone users at the time for commercial purposes, without their knowledge or consent. He alleged that Google’s “DoubleClick Ad Cookie” was used to bypass the default settings of Apple’s web browser, Safari, and collect information relating not just to users’ internet surfing habits and location, but also their race, sexual interests and financial situation social class, amongst other types of personal data. It was further alleged that Google offered this information to advertisers, to help them target their adverts.

Mr Lloyd and the ICO argued that users’ “loss of control” over their personal data due to Google’s failure to comply with the Act constituted “damage” for the purposes of being entitled to compensation under the Act. Google sought to claim that the action had no real prospect of success, on the basis that damages cannot be awarded for loss of control under the Act without proof that it caused financial damage or distress.

 

The Lloyd v Google LLC decision

The claim failed. Lord Leggatt held that the claim had “no real prospect of success”, partly based on the following reasons:

  • section 13 of [the Act] cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned
  • “damage” means something distinct from a contravention of the Act itself.
  • [on] the claimant’s own case there is a threshold of seriousness which must be crossed before a breach of [the Act] will give rise to an entitlement to compensation under section 13. I cannot see that the facts which the claimant aims to prove in each individual case are sufficient to surmount this threshold

 

Lessons for data controllers

The case does not mean that organisations are free to gather personal data or apply cookies without users’ consent, or some other lawful basis. Other lawful bases include the performance of a contract with the user, or compliance with a law, to name a couple.

If you, as a data controller, breach data protection law, there is every risk that the individual(s) concerned will be able to prove they have suffered damage, and therefore may be able to bring a claim for compensation. Further, as the court explained, there is no need to show material damage or distress if damages are claimed for the misuse of private information (a separate cause of action to the Act).

 

Find out more

Please get in touch with our data protection advisers if you require advice on the implications of the case, or data protection law generally, for your business.

Contact our legal experts


 

Paper plane

 

Get the latest news straight from our legal experts.

Subscribe to our newsletter to recieve current, dedicated, suppport and guidance from our solicitors straight to your inbox, wherever you are.

 

Company & Industry

Related Insights

Insights

Supreme Court delivers judgment on whether iPhone users entitled to compensation

Posted on 12th November 2021 in Intellectual Property

In a very clear judgment handed down on 10 November 2021, the Supreme Court has confirmed that, in order to claim compensation from an organisation which has breached its requirements as a data controller under the Data Protection Act 1998 (“the Act”), an individual must prove that the failure has caused material damage or distress to the individual concerned.

Posted by

Oliver Kent

Trainee Solicitor
Insights

Homeworking and the importance of cybersecurity

Posted on 25th March 2021 in Intellectual Property, Coronavirus Pandemic

Having staff working remotely has presented significant challenges for many businesses, but one of the most difficult to address is the increased cybersecurity risk. As many companies did not have sufficient opportunity to prepare for the transition to homeworking, they may not have identified potential cybersecurity issues. Moreover, it is now much harder to monitor staff and ensure they are following safe practices.

Posted by

Jill Headford

Partner and Solicitor