Supreme Court applies brakes to compensation claims for data breaches

Yesterday, the Supreme Court handed down an important judgment in  Lloyd v Google. Although the claim was brought on behalf of millions of consumers, the decision has a much wider impact and is relevant to employers and to schools and colleges.  

Facts

The case was brought by Mr Lloyd who is a former Which? Director and consumer activist against internet giant Google. Mr Lloyd brought a representative action against Google on behalf of more than 4m iPhone users and sought over £3 billion in damages for 'loss of control' of their personal data.

Between June 2011 and February 2012 Google used a ‘workaround’ on Apple’s Safari browser allowing it to bypass Safari’s blocking of third party cookies and therefore collect and use the individual’s browser generated information. Mr Lloyd alleged that this meant that Google was in breach of the Data Protection Act 1998 and that he, and the other 4m iPhone, users were entitled to damages for the loss of control of their data. 

Supreme Court decision

The court focused on two key questions. First, it considered whether a representative action could be brought on behalf of millions of affected individuals on an 'opt-out' basis and secondly, whether damages were available for a 'loss of control' of an individual’s personal data if they hadn’t suffered any other losses such as financial loss or distress.

The Supreme Court decided that an opt out representative action couldn’t be brought in these circumstances as it is necessary to consider the damage suffered by each individual on a case by case basis as each member of the class of claimants may have had their rights infringed in differing ways and to different degrees. 

Of more importance to employers, the Supreme Court decided on the second point that to be able to claim damages an individual had to show that there had been a breach of data protection laws and they had suffered actual damage.  It made it clear, that any breach of data protection law didn’t automatically give rise to damages because the individual had 'lost control' of their personal data.

Implications for employers

This is a welcome decision. Since this claim was launched, we've seen a steady increase in the numbers of employees bringing claims against their employers or threatening to do so - often for small technical breaches of the Data Protection Act or GDPR such as responding to a DSAR a day or two late, or failing to include everything in a privacy notice. Some organisations have paid their staff compensation because they were worried that if the matter went to court, they may have to pay out substantially more.  

Now employers can respond to similar claims robustly and will only need to pay damages if the employee can demonstrate that they have suffered actual damage. This should get rid of many spurious claims and, as our data protection expert, Joanne Bone puts it "employees can't now leverage technical breaches into cash."

The ICO – the UK’s data protection regulator - made representations in the case and argued that a ‘loss of control’ of personal data should give rise to damages (provided it wasn’t trivial) without evidence of any financial loss or mental distress. The UK Supreme Court rejected this argument and made it clear that while individuals have certain data rights under the data protection regime then and now, ‘control’ of their data is not one of them.

The Supreme Court decision is consistent with some other recent decisions that make it clear that breach of data protection laws doesn’t automatically mean financial compensation for individuals. For example, in Rolfe v Veale Wasbrough Vizars, a private school instructed solicitors to write to Mr and Mrs Rolfe to chase payment of outstanding school fees. The solicitors sent the email to the wrong recipient who replied immediately to point out their mistake and agreed to delete it. The email and attachments were encrypted. Despite this, Mr and Mrs Rolfe (and their daughter) brought proceedings against the solicitor and claimed damages. 

The court dismissed their claims and made it clear that in this day and age ‘no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.’

Does this case apply to breaches under the Data Protection Act 2018 and GDPR?

The case was brought under the old data protection regime and some experts believe that the position is different under GDPR. Joanne's view is that whilst GDPR (and UK GDPR) give greater rights to individuals, Article 82 still requires a breach followed by damage and so this decision is still relevant and can be applied to the new legislation.

Need help?

Joanne Bone advises organisations across all sectors on data protection and privacy.

She advises on data protection compliance programs (including drafting suites of policies and procedures, privacy notices and other documentation) for a broad range of clients, including national retailers, multi-national manufacturers, schools and colleges, sports clubs and property developers.

She also advises on:

• The compliant export of personal data and the impact of Schrems II and Brexit;
• Data sharing and processor contracts;
• How to carry out legitimate interest and data protection impact assessments;
• How to market under GDPR including how to draft and obtain compliant consents.

And, she advises on how to deal with the more contentious data protection issues such as complaints to the ICO and the notification of data breaches and provides swift, pragmatic and knowledgeable advice to help clients through what can be a challenging process.