Supreme Court’s decision in £3billion data privacy case may come as a relief for data controllers

The Supreme Court has handed down their eagerly awaited decision in the £3billion case of Lloyd v Google. The court blocked the claim by Richard Lloyd, representing 4 million iPhone users, from proceeding and in doing so made it clear that compensation sought by data subjects for damages for loss of control of their data would be unlikely to be awarded unless the associated data breach had caused “material damage or distress to the individual concerned”.

Mr Lloyd alleged that Google illegally misused the personal data of iPhone users by tracking and collecting information about them through their Safari web browser.

The Data Protection Act 1998 gives an individual the right to compensation where damage has been suffered as a result of a data breach. However, the UK’s highest court found that compensation was only payable where damage, such as financial loss, or in certain circumstances, evidenced distress, is suffered by the affected individual – seemingly a higher threshold for the individual to prove.

The Judge commented that “proof of material damage or distress” is necessary where a data controller commits a “non-trivial breach” of data protection laws.

In this case, no such satisfactory evidence was provided in respect of the 4 million iPhone users represented that Google used their personal data in breach of applicable laws. Without proof, the claim simply could not succeed.

It is likely this will prevent the floodgates from opening in relation to other low-value claims against businesses who have inadvertently breached data protection laws, as well as large scale representative actions for compensation. A different result could have led to mass claims for data breaches, even trivial ones.

This may come as a relief to many data controllers, grappling to maintain compliance with personal data laws in all aspects of their business. But of course, it may also leave many data subjects without a means of recourse where they have concerns about how their personal data is being processed – their rights may be breached, but they cannot necessarily do anything about it.

Please get in touch if you would like our assistance in relation to data protection matters for your business.