Representative data breach litigation fails

In a landmark judgment, the Supreme Court has shot down attempts by consumer rights activist, Richard Lloyd to pursue recovery of multi-billion-pound compensation on behalf of over 4 million iPhone users whose data rights were allegedly infringed by Google when it secretly tracked their browsing activity for commercial purposes back in 2011 and 2012.

Mr Lloyd’s representative claim, backed by a leading litigation funder was brought under section 13 of the Data Protection Act 1998, legislation then in force at the time of the alleged data infringement.

The law on data breach claims and in particular recoverability of compensation is evolving and was recently the subject of judicial consideration by the High Court in Warren v DSG Retail Limited [2021] EWHC 2168 (QB) – see our earlier article “Data breach claims: New High Court Ruling”.

In Lloyd v Google LLC [2021] UKSC50, the Supreme Court effectively ‘shut the door’ on representative actions being a viable means of pursuing litigation on behalf of affected individuals in finding that the matter of what, if any compensatory relief should be awarded could only be determined by individual assessment of each claimant’s claim. Put simply, a ‘common basis approach’ was not possible to determine compensation under section 13 of the DPA 1998 as this required a claimant to prove they had suffered actual damage either in the form of financial loss or mental distress.

The Supreme Court’s findings are important as there has been a consistent rise in claims against data controllers based on a mere ‘loss of control’ of an individual’s personal data which will no longer be possible.

The Supreme Court’s judgment is also likely to have an impact on the viability of group litigation in respect of low value data breach claims, potentially leaving innocent victims of a data breach having to pursue their own claim.

Google will no doubt view the Supreme Court’s decision as a significant victory, but it is unlikely to deter the advancement of data breach litigation in the UK. The Court refused to be drawn into consideration of a data subjects rights to compensation under Article 82 of the General Data Protection Regulation and sections 168 and 169 of the Data Protection Act 2018.

It is quite possible that we will see the emergence of a new form of ‘hybrid litigation process’ merging the benefit of a representative claim to establish liability of a data controller and group litigation as a framework for assessing and awarding individual claimant compensation.

The law on liability for infringement of the GDPR and Data Protection Act 2018 will continue to evolve in time as more discrete legal issues are judicially considered.

For further information on your rights as a data controller in defending data breach claims, regulatory enforcement and data protection compliance please contact Clive Mackintosh at [email protected]