Group Data Breach Claims - Claimants need to prove they suffered damage

Group action brought against Google dismissed

The Supreme Court has ruled that individuals claiming for a data breach must be able to demonstrate that they have suffered some form of damage (Lloyd v Google LLC). 

Background 

Richard Lloyd, a consumer rights activist, claimed that between 2011 and 2012, Google had collected personal and special category data (i.e. data relating to race, sex, health etc.) from the Apple web browser Safari (further information can be found in our previous article linked below). He brought an opt-out group action against Google on behalf of millions of iPhone users.

In November 2019, the Court of Appeal ruled the claim could proceed (overturning the High Court’s previous decision), as the individuals’ loss of control of their data was enough to claim damages, without identifying any specific distress or financial loss suffered. The Court of Appeal also ruled that the individuals affected could easily be identified, namely iPhone users.

Mr Lloyd sought a uniform amount (£750) for each of the 4 million users. The damages therefore could have totalled around £3billion.

Google appealed to the Supreme Court.

The Supreme Court Decision

The Supreme Court unanimously upheld the appeal. It ruled that the action could not proceed. Mr Lloyd had failed to demonstrate damage on behalf of all the affected users.

The Court noted that for the claim to succeed a claimant bringing a group action must prove damage to each individual affected. Mr Lloyd had suggested a uniform sum could be awarded for each individual. The Supreme Court disagreed, noting each individual’s losses (if any losses exist) would need to be assessed separately.

The Court confirmed that to receive compensation, Mr Lloyd would need to show both:

• that Google made some unlawful use of personal data relating to that individual and
• the individual suffered damage as a result

The Supreme Court therefore refused Mr Lloyd’s application for permission to serve the proceedings on Google outside the English and Welsh jurisdiction.

Implications 

This ruling represents a crucial moment in data protection litigation. While decided under the Data Protection Act 1998, the reasoning would likely apply to the Data Protection Act 2018 and UK GDPR. The ruling severely limits the circumstances in which a group action may be brought for a mass data breach. There had been a rise in mass group actions relating to data breaches, emboldened by the Court of Appeal’s earlier decision. The right to damages is not automatic, so a claimant must prove material damage or distress.

The judgment, while not closing the door on representative group actions, highlights the practical difficulties of successfully bringing group actions. While a claim on behalf of a uniform group could be brought, the need to individually assess damage makes such an exercise unviable and extremely costly.

The judgment also gave useful factors in determining individual cases, such as the:

• Volume of data
• Categories of data
• Sensitivity of that data and
• Benefit afforded to the data controller as a result of the misuse.