data protection concept image, blue shield with lock inside

What do the results of the Lloyd v Google case mean for data controllers?

In one of the most eagerly awaited data privacy cases to date, the Supreme Court has handed down judgment in Lloyd v Google LLC [2021] UKSC 50, ruling that the claim for breach of the Data Protection Act 1998 (“DPA 1998”) should not proceed. Mere “loss of control” of data, without any harm suffered, is unlikely to give rise to a claim.

Background to the Lloyd v Google case

The claim was brought against Google by Richard Lloyd, a former director of Which?, who issued proceedings in 2017 on behalf of some 4 million iPhone users affected by a “Safari workaround” implemented by Google. The workaround allegedly allowed Google to place third party cookies onto iPhones without the user’s knowledge or consent.

The claim was brought by Mr Lloyd on behalf of every affected user, using a representative action mechanism in the Civil Procedure Rules. This required Mr Lloyd to show that every affected individual shared the same interest in the claim, which is notoriously difficult to prove. Mr Lloyd, in bringing the claim, argued that every user had suffered the same loss of control of their data, and had therefore suffered the same harm.

The Supreme Court was asked to consider a number of questions, including whether the claimants had suffered harm as a result of the loss of control of their data. In its judgment, it ruled that they had not.

What this means for data controllers

This is good news for data controllers; the floodgates remain firmly closed to claims where the claimant cannot show that they suffered harm as a result of a data breach.

The Supreme Court’s judgment makes clear that the wording of the DPA 1998 does not give rise to claims for “loss of control”, unless there is evidence of other harm, such as financial harm or emotional distress.

The DPA 1998 has since been superseded by the Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulations (“GDPR”). These came into force on 25 May 2018. So any claim arising out of facts which took place before this date will be a non-starter, unless the claimant can show that harm has been suffered. The Supreme Court did not consider the current legislation in detail, however it did cast doubt on potential claimants’ ability to bring claims under the new legislation too.

This judgment provides a solid basis on which to resist claims for data breaches, where previously the law had not been so clear.

If you or your business is the subject of a data breach claim, our Commercial Dispute Resolution and IP&IT teams have considerable expertise and are well placed to assist. Please do get in touch.

For more information on how to deal with a complaint about cookies read here.