General News

Lloyd v Google: A Landmark Case

On the 10th of November 2021, The Supreme Court announced their long awaited decision regarding a lawsuit between Mr Lloyd and Google. The court found unanimously in favour of Google, and dismissed the Court of Appeal’s previous decision.

Many believe that this decision will bring an end to data protection class action lawsuits before they could really get started. Is this the case though?

History of Lloyd v Google

Mr Lloyd had originally brought a class action lawsuit against Google in 2018, relying on the representative action procedure set out in Civil Procedure Rule 19.6. The facts of the case centred around Mr Lloyd alleging that more than four million iPhone users had been adversely affected by a Google workaround on Safari across a ten month period, which ended in February 2012. Mr Lloyd was bringing about this claim on behalf of those more than four million iPhone users. The workaround on Safari that Mr Lloyd says affected all of these users he says facilitated the harvesting of great amounts of user data without the consent of the user, and has been defined as “browser generated information” (BGI). This browser generated information was then used to create targeted advertising, which in turn would have created a significant amount of income by allowing advertisers to advertise to a more specific audience than would have otherwise been possible. Mr Lloyd sought to claim an amount of money on behalf of the four million plus users without providing any damage for each individual. The total amount sought was £750 per user, which equated to a total of £3 billion. 

The case was first heard in the US, where Mr Lloyd asked permission to serve his claim outside of the jurisdiction, and in English Courts. This request was denied in 2018 by the High Court, who found that Mr Lloyd’s claim failed to identify a basis for which the members of the represented class to claim compensation under the DPA, and that the claim had no real chance of being successful, and therefore shouldn’t continue as a representative action. Mr Lloyd then appealed this decision, and the appeal was allowed in October 2019, which meant that Mr Lloyd was permitted to serve outside of the jurisdiction. Google then appealed this decision to the Supreme Court. At this stage, the ICO got involved, as well as a number of other parties. 

At this latest hearing of Lloyd v Google in The Supreme Court, there were three questions outlined for the court to consider, which are as follows:

  • Are damages recoverable under section 13 of the DPA for loss of control of data in and of itself (i.e. where the underlying breach does not result in any pecuniary loss or distress
  • Did the class (some 4 million individuals) share the “same interest”, which is a requirement for a representative action to proceed in England and Wales?
  • If the “same interest” test is satisfied, should the Court exercise its discretion to disallow the representative action proceeding any event?


The Decision

The Supreme Court reversed the decision of the Court of Appeal, and unanimously held that you can’t award compensation for a mere loss of control of data, you must be able to illustrate and prove that material damage or distress was caused as a result of the loss of control, saying that “[Section 13 of the DPA] cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the [DPA]....”. 

What This Means Going Forward

The Supreme Court’s decision in Lloyd v Google will be welcomed by any business/organisation that handles personal data. If Mr Lloyd had been successful, it would have opened the floodgates and provided a precedent for organisations being required to pay compensation and be liable for any breach that had resulted in a loss of control of data, regardless of whether the data subject(s) had actually suffered a loss as a result. If the decision had gone in Lloyd’s favour, it may have even resulted in claims down the line for other misuses of data, or even merely perceived misuses.

In recent years, there has been a growing trend of claims brought about similar to Lloyd’s claim, where claimants are seeking compensation for a class of claimants without providing any proof of damage, with their whole claim centring around proving a loss of control of personal data. The decision in Lloyd v Google was seen as a watershed decision for these types of claims, and the Supreme Court’s decision has put an end to claims where there is a lack of proof of any damages being caused by the loss of control of data, with the UK Supreme Court saying “the claimant’s attempt to recover compensation…. Without proving [damage] [was] doomed to fail”. 

Whilst this decision will now see a reduction in these types of claims, which could have become pretty disastrous for organisations, there could now be an argument regarding whether there is sufficient deterrent to organisations breaching data protection regulations, and misusing personal data. The response to this would undoubtedly be that the ICO fills this role, with their power to impose a fine of up to 4% of an organisation’s worldwide annual turnover.