Supreme Court – Setback for representative claims

At Hempsons we have noted an increasing number of what might be considered trivial data breach claims being made against our clients. These claims follow a fairly standard pattern. An email containing minor personal information such as a name, age or address of an individual being sent to the wrong person by mistake. These minor biographical releases of information then become subject to claims for breach of UK GDPR.

There have been a number of high-profile large scale alleged or admitted corporate data breaches which have led to actual or pending claims. Today, the Supreme Court has issued its judgment on the leading case of Lloyd -v- Google, and has ruled in favour of Google. Mr Lloyd sought to bring a claim as a “representative” of all individuals in England & Wales who were alleged to have had their data misused by Google, which had been secretly tracking the internet activity of millions of Apple iPhone users. Whilst this is very different from the “run of the mill” data breach claims, it has important implications for the growing data breach claims market.

The argument in this case was that compensation can be awarded under the Data Protection Act 1998 (now replaced by the UK GDPR and the Data Protection Act 2018) for “loss of control” of personal data without the need to prove that an individual claimant suffered any particular financial loss or mental distress as a result of the breach, or that any individual wrongful use of their data could be established.

The amount of damage for each claimant was not agreed, but a figure of £750 was advanced in a letter of claim. Multiplied by the number of people whom Mr Lloyd claimed to represent, this would produce an award of damages of the order of £3 billion. This was, therefore, clearly an important case for Google. As Google is based in the USA, permission to serve proceedings abroad was needed, and that permission was fought on the basis that Google stated the claim could not succeed.

The main issue in the was considering whether the claim could progress as a “representative claim”, which required a conclusion that no actual proof of loss or distress needed to be asserted on behalf of each person represented in the action. The Court concluded that this was not the case, and that the claim could not succeed in the way it was brought as evidence of either wrongful use or damage or distress of individuals had to be established.

This ruling, and a series of recent ruling either striking out what are considered trivial claims or remitting such claims to the Small Claim track (where legal costs are not recoverable), represent a set-back to the growing industry of claims for minor data breaches where large numbers of individuals may be affected, but where the overall damages are likely to be low. Following this case, the damage, distress or other wrongful use for each affected claimant will need to be established and cannot be assumed – the mere fact of a data breach does not of itself give automatic grounds for compensation.

Our digital team can advise further on data protection and breach of confidence claims and responses to breaches of the data protection legislation.