A data protection case against Google (Lloyd vs Google) has resulted in disappointing news for individuals and their data privacy rights. The legal action, which relates to events that took place nearly a decade ago, could impact some current data breach actions. However, the decision might not be as challenging for data breach victims as some might think.
What happened in this case?
Between 2011 and 2012, Google used cookies on Apple’s Safari web browser to collect data about its users. This included information on health, race, ethnicity, sexuality, and finance. It is alleged that this happened even if someone changed their settings to “do not track”. In response, a legal challenge was launched to help people stand up to Google and this misuse of private data.
In October 2018, the case was thrown out as the judge ruled that it was too difficult to calculate how many people had been affected by the breach, and in what way. However, this case was taken to appeal, and that Court ruled that all data breach claims were valid – even if someone had not suffered financial or emotional damage as a result. Simply losing control of the personal information was sufficient grounds to make a claim.
Google took the case to the Supreme Court and the decision of the appeal court was overturned.
Lord Leggatt, one of the five Supreme Court justices who considered the case said that it was “unsustainable” that affected iPhone users could be awarded a uniform sum, without having to prove financial loss or mental distress. He said:
“What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes.
“But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed.
“Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.”
What does this mean for data breach victims?
Crucially, this decision does not mean that individuals cannot hold organisations to account for a failure to protect their personal data. Indeed, individuals still have a right to compensation if they have suffered actual, or potential, financial loss or psychological injury following a data breach.
The Supreme Court also ruled that, in this case, a representative action (a type of class action) on behalf of every single person who could be affected was not viable. Instead, to join a representative action, each individual must be able to demonstrate that they had suffered a breach of their rights and suffered damage as a result of that breach.
Commenting on the case, Kingsley Hayes, our head of data breach, said:
“While the Supreme Court’s decision might seem like bad news for data breach victims, it’s important to note that Lloyd vs Google was brought under the previous data protection regime. So, while it will impact several other older representative actions that have been on hold pending the Supreme Court’s judgment in this case, it won’t necessarily have as significant an impact on newer cases being brought under the GDPR, the way that they are brought however may continue to evolve.
“Indeed, demonstrating the financial loss and/or emotional distress caused by data breaches aligns with how our firm currently pursues data breach actions. We place huge importance on sourcing evidence to demonstrate quantifiable distress and financial loss to make the strongest possible claims on behalf of our clients. So this ruling, while important, will not change the way we are handling claims for tens of thousands of clients. If anything it is a validation of the approach we have developed over the years.”