Lloyd v Google ruling reshapes class action environment for data breaches

While businesses and cyber insurers breathed a sigh of relief following the judgment, the door to data breach class actions has not been completely slammed shut.

Businesses and cyber insurers alike celebrated the long-awaited decision by the UK Supreme Court in Lloyd v Google LLC [2021] UKSC 50 this month, but the door to data breach class actions and claims for the loss of control of personal data has not been completely slammed shut.

The court unanimously refused to allow the claimants to seek damages for the loss of control of their personal data, stating that compensation for a “non-trivial” breach of the (since repealed) Data Protection Act 1998 (DPA) can only be awarded where the claimant has suffered some form of material damage — such as financial loss or distress. The court further ruled that this particular claim was not viable as a “representative action”, a type of class action more commonly seen in the US, as it had not been proven that all the claimants shared the necessary “same interest” in the claim.

Organisations across the land had been fearing an adverse ruling that would herald a new dawn of mass class actions for data breaches. While they have breathed a collective sigh of relief following the judgment, the court did not go so far as to definitively prohibit the use of class actions for all types of data breach claims.

A closely-watched case with high stakes 

The claim, brought by consumer activist Richard Lloyd, alleged that Google secretly tracked the personal data of approximately 4.4 million Apple iPhone users for several months in 2011 and 2012, with the intent of using that data for commercial gain and in breach of its obligations as a data controller under the DPA. 

Mr. Lloyd sought compensation from Google for the claimants’ “loss of control” of their personal data, as they had not consented to the way Google was said to be using their data. The claim was issued on behalf of all the affected iPhone users as a “representative action” — meaning it was brought on behalf of anyone falling within the class automatically, unless they had individually opted out — and sought damages of £750 per claimant.  

The potential ramifications had the claim succeeded were huge. Given the number of individuals in the claimant class, Google could have been liable for damages of over £3 billion, along with the claimants’ hefty legal costs. A ruling upholding the previous decision by the Court of Appeal in favour of Mr. Lloyd would potentially have sparked similar representative actions seeking compensation for the mere loss of control of personal data. 

Success for the claimants could have therefore opened the floodgates to US-style mass class actions in the UK, whereby individuals whose personal data was affected by a breach could claim damages, even if they suffered no harm. Indeed, prior to the Supreme Court judgment, claimant lawyers had been citing the 2019 Court of Appeal ruling as the legal basis for damages following the loss of control of personal data. As the Supreme Court hearing loomed, a number of other large representative actions were put on hold, or stayed, pending the outcome of this case.

Has the tide fully turned for data breach claims?

The failure of Mr. Lloyd’s case means that the prospect of a flood of representative actions against data controllers has receded. However, the court’s decision does not comprehensively close the door on the possibility of either general claims for loss of control, or group actions for data breaches in the UK, for the reasons outlined below.

  1. Damages for loss of control not ruled out entirely

    The court ruled that this claim could not proceed as a representative action for loss of control of personal data because the claim had been brought under section 13 of the DPA, which required material damage.  It nonetheless remains possible for data subjects to try to claim damages for the loss of control of their data pursuant to a separate cause of action — the tort of misuse of personal information — which this case did not decide upon, as it was not pleaded by Mr. Lloyd.  Individuals can therefore still seek damages, even if they suffer no harm following a data breach, although the ruling means that it will be more difficult to form a class action for this purpose.

  2. Opt-in group action still a possibility

    This case was brought on an opt-out basis as a representative action, but the claimants failed to prove they had the “same interest” in the claim. An opt-in group action, on the other hand, using a Group Litigation Order (GLO), as was the case following British Airways’ data breach in 2018, remains a viable route for data breach class actions. While GLOs will generally have far fewer claimants than in Lloyd v Google, and the claimant lawyers’ costs of running a GLO are higher, such action only requires “common or related issues of fact or law”, meaning it has a wider reach than a representative action, so the bar to form a claimant class is lower.

  3. Cases under GDPR may be decided differently

    Finally, the Lloyd v Google case was brought under the DPA 1998, which has now been superseded by the UK General Data Protection Regulation, which implemented the European GDPR post-Brexit. The UK GDPR contains similar, but slightly different wording to the DPA, so it is possible that a claim under the current law may be decided differently.

    This is a fast-moving area of law, and the UK GDPR is itself currently under governmental review with responses to a first consultation by the Department for Culture, Media and Sport due in November. It is possible that the government will revisit the question of opt-out privacy claims, having specifically chosen not to legislate on this in early 2021, partly because this ruling was still being awaited at the time.

Mitigating third-party claims risk

The rise of ransomware in recent years has led to cyber insurance buyers focusing on coverage for first-party exposures such as incident response costs and business interruption losses. However, as outlined above, the areas of law addressed — and not addressed — by this case highlights the third-party litigation risk that data controllers continue to face in the aftermath of a data breach.

Legal action from individuals affected by data breaches has been steadily on the rise since the GDPR came into force in May 2018. While this case puts the brake on a move towards US–style mass class actions, the pre-existing risk of data privacy litigation via means other than the representative action procedure has not gone away.

The best way to avoid being the subject of a data privacy lawsuit is to avoid breaching privacy laws in the first place. However, in practice, even the most prudent organisation can experience a data breach, be it caused accidentally or maliciously. Companies should prepare for the worst-case scenario and ensure that they are adequately equipped to respond to a data breach and mitigate the potential impact on affected data subjects that could give rise to a claim.

A quick, efficient response to a data privacy incident will help to reduce the negative consequences on individuals before legal claims get off the ground. Cyber insurance provides access to specialist incident response vendors, should the unthinkable happen. It can also cover the defence costs of damages of subsequent privacy claims, which remains a risk, despite the Supreme Court’s refusal to release the floodgates.

For more information, please contact your Marsh advisor.

Meet the authors

Image placeholder

Helen Nuttall

Head of Cyber Incident Management

  • United Kingdom

Image placeholder

Neal Pal

Senior Product Development Specialist

  • United Kingdom