Lloyd v Google LLC [2021] UKSC 50

Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50

In Lloyd v Google LLC, the general principle was that individuals have the right to sue companies for damages caused by unlawful breaches of their personal data. This landmark case centered around Google's alleged misuse of iPhone users' personal data without their consent, which resulted in the claimant, Mr. Lloyd, seeking compensation for the data breach. The UK Supreme Court ruled that a misuse of private information (MOPI) cases called "loss of control" over personal data was sufficient grounds for compensation, even if the affected individuals have not suffered any financial loss. This decision sets an important precedent that gives individuals recourse when companies fail to protect their personal information.

Facts

In Lloyd v Google LLC, the plaintiff Richard Lloyd brought a representative action on behalf of millions of Apple iPhone users residing in England and Wales against Google LLC. The lawsuit alleged that Google unlawfully collected Safari users' personal information between June 2011 and February 2012 by bypassing privacy settings on iPhones. The case was brought under the Data Protection Act 1998, which required companies to have legitimate reasons for collecting and processing personal data. The plaintiffs claimed that Google had breached their privacy rights and that they suffered damages as a result. The case went to the Court of Appeal which ruled that the case could proceed as a representative action, paving the way for a potential £3.2bn payout.

Supreme court

In Lloyd v Google LLC, the Supreme Court addressed the issue of whether individuals can bring a claim against Google for alleged breaches of data protection legislation, even if they have suffered no financial loss. The case focused on the concept of "damages" under the Data Protection Act 1998, and whether individuals can be compensated for distress alone. The Court ultimately ruled that individuals can make a claim for damages in such circumstances, even if they have not suffered any financial losses. This ruling has significant implications for companies like Google, who collect vast amounts of personal data on individuals. It also serves to reinforce the importance of data protection regulations and the need to ensure individuals' rights are protected.

Section 13 of the DPA98

Section 13 in the landmark case of Lloyd v. Google, the Supreme Court analysed the interpretation of the phrase "damage" in Section 13 of the Data Protection Act 1998 (DPA98). The Court held that damages under Section 13 could be awarded for non-material losses, such as distress, without the need to prove financial damage. The Court further clarified that damages could be awarded on a representative basis, meaning that one individual could represent a larger group that suffered similar breaches of data protection. This decision marked a significant development in privacy law, giving individuals greater protection against data breaches and providing a means to hold companies accountable for non-material losses.

Legal Reasoning

The Supreme Court rejected Lloyd's argument, siding with Google for the following grounds:

1. Representative action claims can be initiated by individuals with a shared concern, but this cannot occur when there is a conflict of interest among class members, such that the position of some would prejudice the position of others. Lloyd had brought a representative action for damages on behalf of each member of the class on a uniform per capita basis, despite the fact that there was no conflict in this case and the claims plainly raised common issues. However, because the effect on the represented class was not uniform (for instance, some allegedly had more of their data unlawfully processed than others, including different types of data, including some sensitive personal data), this would result in different awards of compensation being given to different members of the class, necessitating an individual assessment of damages. Consequently, those in the group did not share a common interest.

2. The court rejected Lloyd's argument that a person is entitled to compensation solely for a violation of the DPA98 and without having to substantiate any specific facts. To establish a claim for compensation, an individual must not only demonstrate a violation, but also that he or she has suffered either monetary or emotional harm as a result. This necessitates evidence from each individual, which is incompatible with claiming damages on a representative basis, as claimants would present various evidence and therefore have varying interests.

3. The court also determined that damages for the separate head of loss of control (as imported from MOPI claims) were not recoverable in data protection claims because Section 13 of the DPA98 (which establishes the statutory basis for damages awards) could not be interpreted to mean or include loss of control (or user damages) because "contravention" and "damage" are not synonymous. A violation of the DPA98 must cause (material) harm to a data subject in order to generate any entitlement to compensation under section 13. A data subject is entitled to compensation not because of the illegal conduct itself, but because of the resulting harm. Furthermore, the applicable EU legislation could not be read to broaden the definition of "damage" beyond financial loss or suffering, therefore section 13 of the DPA98 was not incompatible with EU law. If this were not the case, the court said that a person would be able to collect compensation (under the previous legislation) without proving significant injury or distress whenever a data controller failed to comply with the DPA98 on the grounds that such a breach amounted to a loss of control.

4. Furthermore, the court said that there is no reason why damages paid in a common law claim for MOPI should be relevant to the appropriate construction of the statutory system for seeking damages under DPA98 just because they are derived from the same source. There are also substantial disparities between these assertions. Data protection law, for example, goes outside the scope of MOPI, and data does not need to have a reasonable expectation of privacy to be protected under DPA98 (whereas it must in a MOPI suit for which loss of control damages are payable). Damages may even be granted in MOPI suits if there is no evidence of tangible harm or suffering. As a result, loss of control damages in MOPI claims are not analogous to DPA98 data protection claims.

RATIO

For all of these reasons, the court came to the conclusion that section 13 of the Data Protection Act of 1998 (DPA98) cannot reasonably be interpreted as granting a data subject the right to receive compensation for any (non-trivial) violation by a data controller of any DPA98 requirement without requiring the data subject to demonstrate that the violation has resulted in actual material harm or emotional distress to the individual in question.

The court ruled that a class action under s. 13 could not succeed because it would still be necessary to determine the scope of the illegal processing in each individual case, which would require examination of pertinent factors like "How long did Google track the person's internet browsing history? How much data was improperly processed? Any sensitive or private information that was handled illegally? What use did Google make of the data, and what, if any, financial gain did Google get from that usage?

If none of these considerations are made, it would be impossible to prove that any member of the class was entitled to damages in the form of compensation based on the alleged facts because they fall short of (and have no chance of meeting) the legal requirements.

Therefore, Lloyd's argument that each member of the class was entitled to damages solely because they were shown to be members of the class and without having to adduce any evidence that Google had improperly obtained and utilised their data was insufficient. According to the court, Lloyd was trying to get damages without even attempting to establish that there had been improper processing.

The court ruled that Lloyd's claim had no realistic chance of success and denied his request to serve his claim outside of the jurisdiction.

Lloyd v Google – right claim, wrong law?

The case of Lloyd v Google centers around the alleged misuse of personal data by Google. Richard Lloyd, the former director of consumer rights group Which?, is seeking compensation for himself and potentially millions of other iPhone users in the UK whose personal information was unlawfully collected by Google. The case raises important questions about privacy and data protection in the digital age. However, some legal experts argue that Lloyd may have chosen the wrong law to pursue his claim. Under current UK law, individuals can only claim compensation for damages caused by a breach of data protection regulations if they can prove financial loss. Lloyd's claim is based on the infringement of his right to privacy, rather than his financial losses, which may make it difficult for him to succeed in court.

The class action

In the case of Lloyd v Google, the Supreme Court made a significant ruling regarding class action suits. In June 2019, the court held that a class action lawsuit can only proceed if every member of the class has sustained the same type and scope of injury. This meant that in order for class actions to proceed, all plaintiffs must have suffered the exact same harm. The decision was a major setback for privacy advocates who were hoping to use class action lawsuits to challenge tech companies' data collection policies. The Supreme Court's decision has made it more challenging for consumers to sue companies in class action suits, and it is still seen as a controversial ruling by many people.

Floodgates

The Supreme Court made a significant ruling on the argument about floodgates. The plaintiff, Richard Lloyd, brought a claim against Google, alleging that the tech giant had unlawfully collected and used his personal data. Google submitted that the claim should be struck out on the basis that Mr. Lloyd had suffered no real harm and that the floodgates would be opened if the claim were allowed to proceed. However, the Supreme Court rejected this argument, stating that it was not persuaded that the floodgates would be opened if the claim were permitted to proceed. The Court held that a person who suffers harm as a result of a breach of data protection law is entitled to compensation, and failure to allow such claims would discourage individuals from bringing valid claims against large corporations. Therefore, the Supreme Court's decision in Lloyd v Google establishes an important precedent for future data protection claims.

Conclusion

Lloyd v Google was a significant case that centered around privacy rights and the us of personal data. The case was brought against Google by Richard Lloyd, who alleged that Google had violated the Data Protection Act of 1998 by secretly collecting and using user data. The case was heard in the UK, and after a long legal battle, the ultimate decision was that the case could not proceed as a class action lawsuit. This decision was reached because the judge ruled that the members of the proposed class did not all suffer the same type of damage and could not demonstrate that they had all suffered a loss as a result of Google's actions. While the case did not result in a victory for Lloyd and the other plaintiffs, it did bring new attention and scrutiny to the use and protection of personal data by technology companies.