No claim for loss of control of personal data without financial damage or distress

22 November 2021

The Supreme Court has dismissed a claim by Richard Lloyd, a former director of Which?, against Google for unlawfully tracking the internet usage of over four million iPhone users.

The Court’s decision was hotly anticipated and is an important win not only for Google and the tech industry, but for all organisations handling customer, user, employee or any other personal data in the UK.

The immediate takeaways from the judgment are as follows:

  1. both of Mr Lloyd’s key arguments were rejected. The Court held that (a) there is no right to damages under the DPA 1998 for mere “loss of control” of personal data without proof of financial damage or distress and (b) Mr Lloyd could not sue on behalf of all affected iPhone users because their interests in the case were not the same and would have to be assessed individually;
  2. the judgment severely limits the recoverability of damages for data protection breaches under the DPA 1998 (as for the GDPR, see below) and will put the brakes on a number of high profile pending data breach class actions and probably thousands of smaller claims. It is also consistent with the tech-friendly theme of the Government's recent proposals for data protection reform post Brexit and a general trend towards a more pro-business data privacy regime in the UK;
  3. the decision will come as a particular relief to the tech industry, but a blow to data subjects seeking redress for perceived data privacy breaches. In this case, Google was alleged to have secretly and deliberately unlawfully obtained and used private information for commercial gain, as compared to incidences of accidental data loss, cyber attack, or oversights in policies and controls that have featured in other cases. Despite this, the Supreme Court disagreed with the Court of Appeal’s previous ruling that all affected individuals were arguably entitled to a minimum amount of compensation;
  4. however, an important question remains unanswered – would the analysis be the same for a claim under the GDPR? Google committed the alleged misconduct before the introduction of the GDPR and the claim was therefore brought under the DPA 1998. Given the very different use of language within the two sets of legislation, it is by no means certain that the Court’s analysis would be the same for a GDPR-based claim; and
  5. the Court hinted at other ways claimants and funders could nonetheless pursue mass claims. Several claims are also still pending against big tech companies like Apple, Google and Qualcomm in the UK Competition Appeal Tribunal, which have been given significant momentum by a separate recent Supreme Court ruling in Merricks.

Over the coming weeks, we will be publishing a series of short posts exploring these points in more detail and examining the practical implications of the judgment for collective actions in England & Wales and data protection best practice under the UK GDPR.

the claim advanced cannot succeed for two reasons. First, the claim is founded solely on section 13 of the DPA 1998, which provides that "an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage". On the proper interpretation of this section the term "damage" refers to material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself [90]-[143]. Second, it is on any view necessary, in order to recover compensation under section 13, to prove what unlawful processing by Google of personal data relating to a given individual occurred