The Supreme Court has today overturned the Court of Appeal’s decision in the high profile Lloyd v Google case, which could have opened the floodgates for class actions for compensation for loss of control of personal data to be brought on behalf of very large numbers of individuals without identifying class members: Lloyd v Google LLC  UKSC 50.
In its unanimous judgment, the Supreme Court found that:
- A claim for damages for the unlawful processing of data under the Data Protection Act 1998 (“DPA 1998“) required proof of damage in the form of either material damage (such as financial loss) or mental distress. Such damage must be distinct from, and caused by, the unlawful processing. It could not be the unlawful processing itself.
- In any event, to determine the quantum of any damages, the court would need to consider the extent of the unlawful processing in the individual case, including for example the relevant time period and the quantity and nature of the data processed. Without evidence as to individual circumstances, it would be impossible to conclude that the damage was more than trivial, and therefore there would be no right to compensation.
From a data protection perspective, the judgment focussed largely on whether or not the “damage” referred to in section 13 of the DPA 1998 should be interpreted as extending beyond material damage (i.e. financial loss or physical or psychological injury) and distress, to also include “loss of control” over personal data. Although “loss of control” is not a term used in the DPA 1998, the claimant’s case was that an individual should be entitled to recover compensation under section 13 without proof of material damage or distress whenever a data controller fails to comply with any of the requirements of the Act in relation to any personal data of which that individual is the subject, provided only that the contravention is not trivial or de minimis. Any such contravention would involve “loss of control” of data for which compensation would be payable.
Turning to the words of section 13, the Supreme Court ruled that the words cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to personal data of which that individual is the subject. The wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention. The Supreme Court found that the wording was therefore inconsistent with an entitlement to compensation based solely on proof of the contravention (i.e. no compensation for loss of control without financial damage or distress).
The case was brought under the DPA 1998, rather than the GDPR which superseded it (and which has now been incorporated into UK law post-Brexit). Whilst there may be read across to the current UK GDPR regime, Lord Leggatt specifically stated that he was not considering the later legislation (i.e. the GDPR) and this could potentially leave the door open for future loss of control claims under that legislation. The compensation regime under the UK GDPR expressly refers to compensation being available in relation not only to material damages but also “non-material damages”. Further, the recitals specifically reference loss of control over personal data as an example of possible damage resulting from a personal data breach. As this language was not considered in the Supreme Court’s judgment, it could still be a battle ground for future claims.
For more details on the background to this watershed case and the Supreme Court ruling, including the detail on representative actions, please see our blog post available here.