Supreme Court to consider collective action for "loss of control" of personal data

15 April 2021

On 28 and 29 April, the Supreme Court will hear argument in Lloyd v Google – a case with potentially wide ramifications for the scope of collective actions and data protection claims in the UK.

Mr Lloyd, a former director of Which?, is suing Google on behalf of over four million iPhone users for unlawfully tracking their internet activity in 2011/12 using the “Safari workaround” (a hidden code allowing certain sites secretly to track Safari users).

The Supreme Court’s decision is hotly anticipated for two main reasons.

First, it will determine whether damages are in principle recoverable simply for the “loss of control” of personal data and without needing to identify any specific financial loss or distress. Although not quite the potential claimant bonanza some are anticipating (it is accepted by both parties that trivial data protection breaches will remain unactionable), this would still represent a significant expansion of the scope of data protection claims in the UK.

Second, it will confirm whether Mr Lloyd can sue Google on behalf of all affected iPhone users on the basis that they have the “same interest” in the case. Such representative actions have previously been permitted only where the represented claims are each identical in both legal nature and damages sought, effectively restricting the growth of US-style “opt out” class actions in England & Wales. Mr Lloyd is seeking to overcome that restriction by limiting his claim only to “loss of control” damages (which he argues were the same for everyone affected) and by deliberately not relying on the particular circumstances of, or additional losses suffered by, specific individuals.

The Court of Appeal found in favour of Mr Lloyd in both respects in October 2019, and we will have more commentary on the decision and its likely impact when the Supreme Court’s judgment is released later this year.

While the case concerns a breach of the Data Protection Act 1998, the examination of the right to compensation for “loss of control” of personal data is still relevant under GDPR. The risk of incurring increased fines under GDPR has already brought data protection compliance into the spotlight, but the increased threat of representative actions which may result in organisations having to pay out damages in addition to fines is likely to bring compliance into an even sharper focus.

The respondent has issued a claim alleging that the appellant (‘Google’) has breached its duties as a data controller under the DPA to over 4m Apple iPhone users during a period of some months in 2011- 2012, when Google was able to collect and use their browser generated information. The respondent sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way.