Damages for inappropriate harvesting of personal data

Lloyd v Google (Supreme Court) [2021]

Data controllers and their data processors spend many hours discussing the allocation of risks arising from GDPR breaches. Partly, this is because of the huge potential financial risks involved both from fines and large damages claims, particularly where large numbers of data subjects are affected. This case perhaps offers some re-assurance that the courts are willing to limit applicable damages in appropriate cases and suggests that representative class actions involving many thousands of claimants will not be quite as attractive as some may have thought / feared.

Facts:

Section 13 of the Data Protection Act 1998 (’DPA 1998’ - the legislation that preceded the latest DPA 2018) provided that:

“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.

A previous case had decided that under this provision a claimant could claim for material damage such as financial loss or distress (but, in the latter case without also having to establish financial loss).

Between August 2011 and February 2012 Google allegedly used a small piece of software known as a cookie to bypass privacy settings on Apple iPhones enabling it to track and record the online behaviour of millions of Apple iPhone users in the UK without their knowledge or consent. It sold the aggregated data for commercial purposes to subscribing advertisers in connection with targeted advertising. Mr Lloyd alleged, amongst other things, this was in breach of section 4(4) of the DPA 1998 (which imposed a general duty on data controllers to comply with “the data protection principles”) and, specifically, the first (fair and lawful processing) and second (obtained and processed only for specified and lawful purposes) principles. The claimant argued that the word “damage” in section 13(1) included damage for “loss of control” over personal data. The claimant did not allege he had suffered any direct financial loss nor that he had suffered distress.

Mr Lloyd’s claim was also unusual because it was brought as a ‘representative action’. Mr Lloyd was the only named claimant, but the claim was stated to be brought on behalf of others on a US-style opt-out basis (whereby individuals who qualify as part of a discrete ‘class’ are automatically deemed to benefit from the claim unless they opt-out). He claimed to be entitled to represent and recover damages on behalf of everyone resident in England and Wales who owned an Apple iPhone on which the cookie in question was placed at the relevant time. The estimated number of eligible claimants being more than 4 million Apple iPhone users.

If damages needed to be assessed on an individual, case by case, basis, it was accepted that a representative action would not work. To circumvent this, Mr Lloyd argued that damages could be awarded on a "uniform per capita basis" to each member of the claimant class without the need to prove any facts particular to that individual. The amount proposed was £750. Had the claim been successful on this basis, damages would have totalled about £3 billion. Alternatively, each member of the class could be awarded damages (again on a uniform per capita basis) as a hypothetical amount which they could reasonably have charged for allowing Google to use their personal data.

Decision:

Held:-

  • The claim failed because Mr Lloyd had not proved either financial loss or distress.
  • "Loss of control" damages do not fall within the ambit of section 13 of the DPA 1998. A claim for damages under the DPA 1998 requires proof of either material damage or distress, which has to be distinct from, or caused by, the unlawful processing.
  • The representative action was not appropriate because the court said it would have to consider the extent of the unlawful processing for each individual separately.
  • Damages on a hypothetical licence fee basis did not fall within section 13 of the DPA.
  • Points to Note:

    back to archive