The areas of work in which we have particular expertise, experience and excellence.
Articles | Wed 10th Nov, 2021
“… I conclude that section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned”
The Supreme Court has just handed down judgment in Lloyd v Google LLC  UKSC.
The question raised by this appeal is whether the claimant, Mr Richard Lloyd (who is backed by a commercial litigation funder), can bring a claim against Google LLC in a representative capacity seeking compensation under section 13 of the Data Protection Act 1998 (“the DPA 1998”) for damage allegedly suffered by a class of Apple iPhone users as a result of unlawful processing by Google of their personal data in breach of the requirements of the Act.
The Claimant sought to rely on CPR 19.6 which allows a claim to be brought by one or more persons as representatives of others who have the “same interest” in the claim. The Claimant argued that the “same interest” requirement was satisfied so that the representative procedure could be used to recover a uniform sum of damages for each person whose data protection rights had been infringed, without having to investigate their individual circumstances.
As Google is in the US, the claimant needed permission to serve the claim form outside the jurisdiction. The Defendant opposed the application on the grounds that: (1) damages cannot be awarded under the DPA 1998 without proof that a breach of the requirements of the Act caused an individual to suffer financial damage or distress; and (2) the claim in any event is not suitable to proceed as a representative action. In the High Court Warby J decided both issues in Google’s favour and therefore refused permission to serve the proceedings on Google. The Court of Appeal reversed that decision.
The Supreme Court has firmly decided the case in favour of Google. Lord Leggatt, who gave judgment on behalf of the unanimous Court. Section 13(1) of the DPA 1998 provides that:
In Lord Leggatt’s view at [§115]:
Those words, however, cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject. In the first place, as discussed above, the wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention. This wording is inconsistent with an entitlement to compensation based solely on proof of the contravention. To say, as the claimant does in its written case, that what is “damaged” is the data subject’s right to have their data processed in accordance with the requirements of the Act does not meet this point, as it amounts to an acknowledgement that on the claimant’s case the damage and the contravention are one and the same.
For this primary reason the Court declined to uphold the Court of Appeal’s decision to allow the claim to be served outside the jurisdiction: put simply to succeed in a claim under the DPA 1998 a claimant must prove either material damage or distress. As that could not be done in the circumstances of this case, Warby J had been right to refuse permission to serve the proceedings outside the jurisdiction.
This means that damages for “loss of control” of data, or “user damages” are not available in claims under the DPA 1998. The right to such damages however does survive in cases that rely upon the tort of misuse of private information as “damages may be awarded for the misuse of private information itself on the basis that, apart from any material damage or distress that it may cause, it prevents the claimant from exercising his or her right to control the use of the information” [§141].
Whilst the decision puts an end to litigation valued at over £3 billion, it is also likely to significantly reduce the pool of Claimants who have suffered low-level data breaches who cannot show a more than trivial degree of distress – they cannot, it seems, rely upon an argument that the loss of control of the data itself gives rise to an actionable cause of action.
A further article exploring the case will be published shortly.