The UK Supreme Court held in the Lloyd vs Google class action case that privacy damages need to be proven putting a strong limit to these potential claims.
Here is a summary of the case based on the article from my UK DLA Piper data protection colleagues.
The Lloyd vs Google privacy class action case
Mr. Lloyd brought an opt-out class action against Google in the English Courts on behalf of more than 4 million iPhone users, allegedly affected by a Safari workaround that Google had deployed during a 10-month period ending February 2012. The workaround had facilitated Google harvesting browser data from iPhone users without their consent – defined as “browser generated information” (BGI) – which it was able to aggregate so as to create target audiences, in turn generating significant profits by enabling advertisers to target their adverts at these audiences.
Mr. Lloyd sought a uniform amount of £ 700 per user, giving a total of up to £ 3 billion, but without seeking to prove damage for each individual. This was on the basis that each and every user had lost control of their browser-generated information and that, as that BGI had a value, the users should receive damages as a result.
The position of the UK Supreme court on the Google vs Lloyd privacy class action
The Supreme Court held that:
- a data subject will not have a right to compensation for any contravention by a data controller of any of the requirements of the Data Protection Act 1998 (DPA) unless it can prove that the contravention has caused material damage (i.e. mental distress or financial loss) to the individual concerned. A different view would require an extension to the rights conferred by the UK Data Protection Act;
- The ‘novel’ representative class action was doomed to fail – Mr. Lloyd failed to show that there was either (1) unlawful use of personal data relating to each individual, or (2) that the individual had suffered damage as a result.
What is the impact of the Lloyd case on future data protection class actions?
Had Mr. Lloyd’s claim succeeded, the financial consequences for any business affected by a data breach resulting in the loss of control of personal data would have been potentially very significant. Indeed, it may have opened up an avenue for other compensable claims for other misuses of personal data, or perceived misuse.
Distress-based claims have also received recent criticism in the High Court and these, together with the Supreme Court’s ruling in Lloyd, reset the balance. The message from the judiciary is clear: not every data breach or unlawful processing of personal data is capable of giving rise to compensation.
The judgment is not the end of UK representative class actions. Indeed, the Supreme Court reiterated their purpose and procedural advantages. However, to be able to bring a representative class action the claimants will have to establish that their claims all satisfy the “same interest test”. That is likely to be costly and complicated for most data protection claims. Even if a database holding identical classes of information for one thousand individuals was comprised, it does not follow that each individual would suffer the same harm. Distress is inherently subjective. It may be simpler to bring an opt-out representative class action claim to establish common liability and then switch to individual claims or opt-in group claims to prove damage, but the time and cost involved may well deter previously buoyant claimant firms.
Is the decision impacting privacy class actions in EU member states?
Article 80 of the GDPR allows an individual to “mandate a not-for-profit body, organisation or association [—] to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law“. Besides, several EU member states have their local class action instruments that in some cases can also cover privacy-related disputes.
I am not aware of cases where this kind of data protection class action has been actioned in other EU member states. But – also based on the outcome of the UK Lloyd case – it appears that the 4% turnover-based GDPR fine is likely to represent a higher deterrent against potential privacy breaches.
It seems that such a view was recently taken by NOYB with its challenging letters to major organizations for breach of data protection obligations on cookies where they threaten to report the matter to the competent data protection authority. Indeed, unlike a court claim, mere reporting to a privacy authority does not require proving an underlying interest and/or damages. As such, it is a much more powerful and easy-to-handle option for privacy activists. And I expect that NOYB will soon start sending challenging letters to organizations for the unlawful transfer of personal data outside the EEA which – after the noise of the Schrems II case – was a sort of forgotten by companies that are rarely running the data transfer assessment required by the new Standard Contractual Clauses.
On a similar case, you may find interesting the article “Do you have a data transfer impact assessment methodology based on the Schrems II decision?“.