Significant development in Data Protection Case Law regarding damages for the loss of control of personal data

In a unanimous judgment handed down in Lloyd v Google [2021] UKSC 50 on 10th November 2021, the Supreme Court rejected a high-profile compensation claim against Google for the loss of control of personal data. The case concerned Google’s placing of advertising tracking cookies on iPhones using Apple’s ‘Safari’ browser in England and Wales between August 2011 and February 2012. The claim was brought by Mr Richard Lloyd who sought to bring the claim on behalf of several million individuals who he alleges were affected by the loss of personal data.

In its judgment, the Supreme Court rejected the concept that data subjects affected by a non-trivial data breach should be automatically entitled to an award of compensation for the mere “loss of control” of their personal data. The Supreme Court overturned the previous Court of Appeal ruling finding that to have a successful claim for damages for the unlawful processing of data under the Data Protection Act 1998 evidence of proof of damage is required. This proof can either be in the form of tangible financial loss or mental distress suffered as a result of the loss of control of personal data. Such damage must be distinct from, and caused by, the unlawful processing.

The judgment also shed light on how the court would determine the quantum of any damages awarded in a successful case. In deciding damages, the court would be required to consider the extent of the unlawful processing in the individual case based on the relevant time period and the quantity and nature of the data processed. Without evidence as to individual circumstances, it would be impossible to conclude the damage was more than trivial, and therefore there would be no right to compensation. The attempt in this case to bring an action for compensation on behalf of all those whose data was processed, without reliance on any individual circumstances of class members, was therefore without merit.

A point to note is that this case was brought under the Data Protection Act 1998 (the relevant legislation at the time) rather than the UK GDPR which superseded it. However, as the language of both sets of legislation are similar, there is no significant scope for distinguishing any new claims brought under the GDPR from the precedent now set by Lloyd v Google. This is therefore a welcomed development for data controllers of all sizes in the UK.

Should you require advice or assistance in relation to data protection issues please do not hesitate to contact Niamh McMonagle.