The Supreme Court handed down judgment on 10th November 2021.
The Appellant (Google) wanted to reinstate a refusal to allow Mr Lloyd to serve his claim outside the jurisdiction. Permission had originally been refused in the High Court for three reasons:
- The users (under a representative action on behalf of users of the Appellant’s services) had not suffered ‘damage’ under s.13 of the Data Protection Act 1998
- The Claimant was not entitled to bring a representative claim. The users did not share the same interest and were not identifiable
- The Court had discretion as to whether the Claimant should be allowed to bring a representative claim.
The Court held unanimously that the Court of Appeal decision should be overturned and the decision of the High Court judge restored, so Mr Lloyd is refused permission to serve out of the jurisdiction.
The principal findings were:
- The claim was brought solely under the DPA 1998.
- Section 13 of the DPA provides for compensation where an individual has suffered damage as a result of a data controller’s breach. ‘Damage’ is properly interpreted as material damage such as financial loss or mental distress caused by unlawful processing in contravention of the Act (not simply unlawful processing per se).
- To recover compensation under the Act, an individual would have to be able to prove (in this case) Google had unlawfully processed that individual’s data under the Act – as opposed to allowing the data of a class of individuals’ data to be processed, where only the data of some individuals within the class may have, in the event, have been processed.
The Court found a representative claim could have been used to determine whether Google was in breach of the DPA, to establish whether individuals had a right to bring claims for compensation. If the claim were successful, the Claimants could have considered individual claims for compensation.
In this case Mr Lloyd had sought to do both, without being able to demonstrate unlawful processing of any individual’s data or any loss to an individual. This was unsustainable.
Conceptually it is still open for a campaigner or group to bring a representative action to establish the rights of individuals to claim. That must be the first of two stages. Any individual claims would be contingent on the outcome of the representative action and would need to be made later.
The Court noted that the difficult economics of the two stage process might have made it uneconomic to pursue. To do what Mr Lloyd did, i.e. to bring a claim for damages where there was no proof of unlawful processing of any individual’s data and no proof of material damage was simply not sustainable.
Data controllers will no doubt welcome this judgment, which reasserts some basic principles on breach of statutory duty and proof of damage.
For an individual to prove that their data have been unlawfully processed and damage sustained as a result is likely to be extremely difficult, to the point where most are unlikely to attempt it, unless or until the evidence they would need is considerably easier to obtain. Allegations of a simple ‘loss of control’ with no material damage will not found a claim under the DPA.
To view/download as a PDF please click here.
If you would like to know more about this matter, please speak to your contact at Plexus Law:
Duncan Brockway, Partner
T: 0113 4681 914 | M: 07785 615 782 | E: email@example.com
Whilst we take care to ensure that the material in this Case Alert is correct, it is made available for information only, and no representation is given as to its quality, accuracy, fitness for purpose, or usefulness. In particular, the contents of this Case Alert do not give specific legal advice, should not be relied on as doing so, are not a substitute for specific advice relevant to particular circumstances. Plexus Law accepts no responsibility for any loss which may arise from reliance on information or materials published in this Case Alert