Case study: Compensation for loss of control of personal data

Businesses and their insurers may breathe a sigh of relief following the English Supreme Court’s decision in Lloyd v Google LLC [2021] UKSC 50, handed down in November 2021. In that case, the Court rejected a compensation claim against Google in an “opt-out” class action for loss of control of personal data. While privacy and data breaches are increasingly a source of litigation, this decision has curbed some of the momentum towards opt-out class action claims for data breaches, which could otherwise result in lengthy litigation and significant defence costs.

The claim against Google

This claim was brought by a Mr Lloyd, with the support of a litigation funder, and alleged that Google had breached its duties as a data controller under the Data Protection Act 1998 (UK) (DPA). Mr Lloyd claimed that in late 2011 and early 2012, Google “secretly tracked the internet activity of millions of Apple iPhone users” and used that data for commercial purposes. Google was able to do this using its “DoubleClick Ad cookie” which was placed on an iPhone if the user visited a website that included DoubleClick Ad content. Once placed on an iPhone, this cookie allowed Google to identify visits by that device to any website displaying an advertisement from its advertising network, and to collect information such as the date and time of any visit to a website, how long the user was on the relevant website, which pages were visited and for how long, and what advertisements were viewed and for how long. Sometimes, the user’s approximate geographical location could also be identified.

Mr Lloyd’s allegations were not, as the Court pointed out, new. Google has settled other, similar claims in the United States and in England and Wales. What was new was that Mr Lloyd claimed to represent everyone resident in England and Wales who owned an Apple iPhone at the relevant time and whose data were obtained by Google without their consent – a group of people estimated to number more than four million.

England, like New Zealand, does not have a legislative class action regime. Rather, it has a procedural rule allowing a representative claim to be brought on behalf of persons with “the same interest” in the claim, similar to Rule 4.24 in our High Court Rules 2016.

The central issue in this case was whether Mr Lloyd could use this rule to bring a representative claim for compensation without any individual assessment of loss. He sought GBP750 per class member on the basis that either (a) damages could and should be awarded to recognise the fact that a right has been infringed; or (b) “user damages” should be awarded, whereby damages are assessed as an estimate of what a reasonable person would have been paid for the right of the user. While GBP750 is a modest sum for each individual, if the proceeding were allowed to continue as an opt-out class action the total damages sought on behalf of the approximately four million class members would amount to GBP3 billion.

The Court’s decision

The key difficulty faced by the claimant in this case was section 13 of the DPA, which requires that claimants suffer either damage or distress – a challenge to prove when most of the class were not before the court:

  1. An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
  2. An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –
    1. the individual also suffers damage by reason of the contravention, or
    2. the contravention relates to the processing of personal data for the special purposes.

The claimant argued, first, that the word “damage” as it appears in section 13(1) of the DPA includes “loss of control” over personal data. He argued that, as a matter of principle, compensation awards under the DPA should be approached in the same way as for breaches of the tort for misuse of private information because the two claims have a “common source” in the form of the right to privacy guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms.

The Court rejected this, noting that section 13(1) provides a right to compensation for damage only if the “damage” occurs “by reason of” the contravention. This was, the Court said, inconsistent with a right to compensation based on the contravention alone. For the same reason, the Court rejected the claimant’s argument that “user damages” could be awarded.

The Court noted that, even if it were not necessary to show that an individual had suffered material damage or distress as a result of a data breach, it would still be necessary to establish the extent of the unlawful processing of data in that individual’s case, such as the period of time that the relevant user was tracked, the quantity of data processed, whether any of that data was of a sensitive or private nature, and what use was made of that information. The claimant accepted that the amount of compensation awarded would need to be determined by reference to such matter, but argued that it was possible to identify an “irreducible minimum harm” suffered by every class member. However, the Court noted, the facts alleged in this case were not sufficient to establish that any class member was entitled to damages.

Implications for privacy class actions

The Court left open the possibility for a case such as this to be brought by way of a two-stage process, whereby the representative action procedure could be used to determine common issues, such as whether there had been an actionable breach of the DPA. Individual issues of damage could then be dealt with subsequently, in separate proceedings.

It is difficult to see, however, how it could ever be economically viable to bring a claim in this way. As the Court noted, the claimant in this case presumably did not propose to bring proceedings in this way because “success in the first, representative stage of such a process would not itself generate any financial return for the litigation funders or the persons represented. Funding the proceedings could therefore only be economic if pursuing separate damages claims on behalf of those individuals who opted into the second stage of the process would be economic. … it clearly would not. In practice, therefore, as both courts below accepted, a representative action for damages is the only way in which the claims can be pursued.”

New Zealand’s Privacy Act deals with civil claims in a different manner to the DPA, with the Privacy Commissioner being the intended litigant on behalf of affected individuals in proceedings before the Human Rights Review Tribunal. The remedies are similarly limited, though. Section 103 of the Privacy Act provides that the Tribunal may award damages to an individual only where they have suffered pecuniary loss, expenses, loss of a benefit (whether or not monetary) or humiliation, loss of dignity or injured feelings. The decision in Lloyd v Google therefore provides some clarity on the limitations that are likely to apply upon the Commissioner’s ability to bring a claim on behalf of a large number of affected persons.

Read Cover to Cover – Issue 24

Who can help