On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.
The Lloyd case concerned alleged violations by Google in 2011 and 2012 of the UK Data Protection Act 1998 (the “DPA”) in connection with the collection and use of the browser generated information of approximately four million UK-based Apple iPhone users. Lloyd alleged, on his own behalf, and on behalf of the approximately four million other iPhone users (who had not affirmatively agreed to be represented by Lloyd), that Google’s use of the browser generated information violated the DPA and sought compensation for the damage allegedly suffered. Pursuant to the UK’s Civil Procedure Rules, Lloyd was required to seek permission of the court to serve his claim outside of the UK against Google in the U.S.
In the first instance, Lloyd’s request to serve the claim on Google in the U.S. was rejected on the basis that it had no reasonable prospect of success and that the representative claim brought on behalf of the other claimants was inappropriate to the nature of the relief sought. That decision at first instance was subsequently overturned by the UK Court of Appeal, which held that the representative claim was appropriate and that there was a reasonable prospect of success of the claim, on the basis that mere “loss of control” of personal data was sufficient to give rise to a claim for damages under the compensatory scheme of the DPA.
The Court of Appeal’s decision was subsequently appealed by Google to the UK Supreme Court, on the grounds that (1) the facts pleaded by Lloyd could not provide any basis for a claim for compensation under the DPA; and (2) the court should not permit the claim to continue as a representative claim.
The Supreme Court ruled in favor of Google, finding that the representative claim against Google should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following:
- The statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data. Instead, compensation may be awarded only when a data subject has suffered some form of material damage (in practice, financial loss or distress) as a result of a violation of the law. Compensation will not be recoverable in relation to a violation of the law that does not result in tangible, material damage.
- The representative claim by Lloyd on behalf of the other affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage as a result of that violation. As a general matter, a representative claim of the type advanced by Lloyd is appropriate only in circumstances where all members of the representative class have suffered the same loss, and it is not appropriate in circumstances where an individual assessment of the impact of the alleged violation on each member of the class is required.
Accordingly, the UK Supreme Court did not grant Lloyd permission to serve the claim against Google in the U.S., effectively bringing it to an end.
While the judgment considered provisions included in the DPA that were in force at the time of the alleged violation, equivalent provisions are included in the UK General Data Protection Regulation (“UK GDPR”), and the ruling is likely to be applicable going forward to representative claims advanced on the basis of the right to compensation that is included in the UK GDPR.
The decision will be welcomed by controllers because it (1) limits the future prospects of representative claims of the nature of that advanced by Lloyd, and (2) provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects are not a sufficient ground for a compensatory award. Going forward, actions for collective redress in relation to violations of data protection law in the UK likely will need to be based on the affirmative opt in of the represented claimants, and each claimant will need to demonstrate the material damage that they suffered.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code