News & Insights

The world of data protection can be daunting for many businesses, and even a cause of stress and anxiety for some. The highly anticipated case of Lloyd v Google LLC [2021] UKSC 50 however will be welcome news for any organisation that collects, stores or otherwise uses personal data (i.e. virtually every business).

By way of background, Mr Lloyd sought to bring a group claim on behalf of millions of users against Google after advertising tracking cookies were set on their devices without their consent. Google was successful in the first instance, lost at the Court of Appeal and have now won their case at the Supreme Court.

The court rejected the claim that data subjects affected by a data breach are entitled to compensation where they have only suffered a loss of control over their personal data, and determined that compensation for a data protection breach can only be granted if the individual has suffered some form of material damage (such as financial loss) or distress. This reflects the wording set out in the Data Protection Act 1998.

Even if such a claim could be bought against a data controller, the judgment held that the impact upon each individual had to be assessed on a case by case basis and so it would not have been possible to bring this action by way of a group claim. In other words, it was held that it would not be possible to make a ‘one size fits all’ decision as to how a data protection breach impacts a group of individuals.

Whilst the judgment assesses the rights of an individuals under the Data Protection Act 1998 rather than current legislation, the latter is worded in fundamentally similar terms and so it is very likely that the same approach would have been applied.

This ruling should offer some comfort to businesses who, despite taking all reasonable steps to ensure that they are complying with data protection legislation, occasionally make a trivial error.  It should not lead them to become complacent however, as data protection continues to be an area of law that is vigorously upheld. Organisations may still be subject to claims if they are not taking steps to comply and an individual is materially impacted as a result. The above will no doubt offer some reassurance to data protection officers, but compliance still remains to be as important as ever.