Google Reigns Supreme - the implications for Data Controllers
On 10th November 2021, the highly anticipated judgment of the UK Supreme Court in the Lloyd v Google case was handed down.
The news was good for data controllers, as Lloyd’s compensation claim against Google was ultimately rejected.
By way of a background refresher, for a period of eight months commencing in June 2011, Google intentionally bypassed Safari’s attempts to block third party cookies on behalf of its users. By relying on this ‘workaround’, Google could (and did) process Safari users’ browser-generated information. Lloyd claimed that this was a breach of the Data Protection Act 1998 and therefore embarked upon litigation on behalf of himself and 4 million other iPhone users, claiming compensation for Google’s breach of data protection law and the loss of control of their personal data. The litigation was brought to a climax with this 10th November 2021 decision.
Previously, the Court of Appeal had found for Lloyd, ruling in his favour for damages (for unlawful processing of data under the Data Protection Act 1998) being payable even in the absence of any damage being suffered. Google appealed.
The UK Supreme Court has overturned the Court of Appeal decision, instead finding that in order for compensation to be payable, there must have been some damage suffered and that the damage must have been caused by the unlawful processing. Simply put, the act of unlawful processing (i.e. a breach) itself is not sufficient to meet the requirement for a payment of compensation to be awarded.
This decision is momentous in UK data protection litigation as it confirms that there is no automatic right to compensation for ‘loss of control’ [of personal data] following a breach; the claimant must prove that the breach caused damage. Whilst the UK General Data Protection Regulation (UK GDPR) does afford individuals increased rights compared to the earlier Data Protection Act 1998 under which this claim was determined, Article 82(1) of the UK GDPR clearly denotes:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
Although the Google case has been decided under an earlier data protection regime, this decision is likely to be transferable and should therefore be of comfort to data controllers; any ambiguity there may have been regarding whether unlawful processing in itself is sufficient to cross the threshold of damage suffered has been quashed by this UK Supreme Court ruling.
Further, Lloyd was declined permission to serve representative proceedings (i.e. on behalf of the 4 million affected users on an ‘opt-out’ basis as Lloyd claimed to have the same interest in the claim as each of those users) on Google’s headquarters in Delaware, US. The UK Supreme Court’s decision was that a representative action was inappropriate due to the necessity to consider the damage suffered by each individual claimant on a case-by-case basis.
This decision should be welcomed by data controllers as (whilst it will not preclude claims for compensation where damage has indeed been suffered as a result of a breach of data protection law) it will limit the scope of such claims, thereby removing the potentially significant financial consequences of dealing with claims for trivial breaches as well as avoiding the risk of the courts widening the scope for compensation under misuse of private information or other data-related claims.