Call us on +44 (0)20 7465 4300
06 December 2021

Relief for data controllers as The Supreme Court close the floodgates: Lloyd v Google LLC

Data controllers (and their insurers) can breathe a sigh of relief after the Supreme Court’s unanimous decision that a representative action against Google should not proceed.


In summary, Mr Lloyd brought a representative claim on the basis that Google had taken steps to circumvent privacy protections in the iPhone Safari web browser. It was a representative action on behalf of several million individuals alleging that Google had obtained and processed personal data, for commercial use and targeted advertising, without the user’s consent.

Mr Lloyd fashioned his claim as an “opt out” representative action, meaning that the individuals did not need to be identified as pursuing the claim. Relying on Rule 19.6 of the Civil Procedure Rules, he argued that all members of the representative action had the “same interest” in the claim, as they had encountered the same loss of control (an approach which the Court of Appeal considered an “unusual and innovative” use of the procedure).

The “same interest” requirement meant that Mr Lloyd had to disavow each individual’s circumstances. Instead, he contended that each class member ought to be awarded damages on a “lowest common denominator” basis and proposed that this could be calculated by reference to a hypothetical person least affected by the breach. Mr Lloyd submitted that each individual should be awarded £750 for the “loss of control” of their personal data.

Mr Justice Warby (at first instance) was not convinced by Mr Lloyd’s representative claim and dismissed his application for permission to serve Google outside of the jurisdiction of the Court of England and Wales. He expressed concern over the idea that an individual could be compensated for the mere infringement of rights, particularly where those individuals had not “indicated any concern”. Mr Justice Warby considered it to be “officious litigation embarked upon on behalf of individuals who have not authorised it” and exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.

However, the Court of Appeal later accepted Mr Lloyd’s suggestion of a uniform sum approach for loss of control of personal data (without the need to prove distress or pecuniary loss) and considered the representative action to be an appropriate remedy to the “wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit.” Google subsequently appealed to the Supreme Court.

Supreme Court Finding

The Supreme Court’s Judgment (which can be found here) considered the nature of damages in English law, namely that they are awarded “with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred”. Applying this to the case at hand, the Supreme Court upheld Google’s appeal and found:

1. Damages for “loss of control” of personal data – The Supreme Court considered whether a data subject’s mere “loss of control” of their personal data was enough to give rise to compensation. The Supreme Court found that it was not; the data subject must have suffered some form of material damage or distress. Such damage must be distinct from, and directly caused by, the unlawful processing. It could not be distress arising from the fact of the unlawful processing itself.

In arriving at this decision, the Supreme Court carefully considered ‘damage’ within the meaning of Section 13 of the DPA 1998.  Lord Leggatt concluded that Section 13 does not confer “a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned.”

The Supreme Court found that by applying a “lowest common denominator” approach to compensation, no assessment of the individual damage (such as financial loss or mental distress) had been conducted, as required by Section 13 of the DPA 1998. On the Claimant’s own case, there was a “threshold of seriousness” which must be crossed before a breach of the DPA 1998 gives rise to an entitlement to compensation. The Supreme Court could not see that this threshold had been surmounted and did not agree that “mere membership of the class” would suffice.

The Court held that while damages for loss of control may be recoverable for misuse of private information, they are not recoverable for a breach of the Data Protection Act 1998.

2. Representative actions and individual damage– The Supreme Court found that whilst Mr Lloyd would be entitled to claim damages in his own right (for breach of data protection rights and/or misuse of private information) the members of the class action did not have the “same interest” and as such, the claim could not proceed as a representative action under rule 19.6 of the Civil Procedure Rules. While the court considered that a representative action could be used to establish liability for a breach, the damages due to any individual would need to be assessed on a case by case basis. As part of this exercise, the court would need to consider the extent of the unlawful processing in each case, including the nature of the information processed and its quantity.


Personal data is a highly valuable commodity, which is used, traded and often misused for countless purposes.  The law protecting the data that is obtained from us to engage in normal private and commercial activities has developed rapidly with successive cases in the UK and EU finding against the big tech companies.  DPA based cases have given individuals greater control of their data and established the remedies when it is misused, but this claim was found to be a bridge too far; the Supreme Court would not sanction damages being awarded to the throng of Claimants that Mr Lloyd represented without evidence of the harm it had caused them.

In terms of the future of such claims, as mentioned above, the Supreme Court have suggested that a possible two-stage approach to these types of cases may be appropriate going forward; the first stage being a representative action to establish common issues of law, fact and/or the defendant’s liability before an individual pursues their own claim for compensation. A similar approach (albeit an “opt-in” group action) has been taken in the various tranches of the phone hacking litigation, for misuse of private information.

There is no question that this judgment will have a significant impact on group litigation, both in terms of data protection litigation and more generally, handing big tech a break from claimant lawyers and their funders (not least in similar claims stayed by the Court pending this judgment).  But, before Google and their like rest on their laurels, it is worth bearing in mind that Mr Lloyd’s case against Google was brought under the Data Protection Act 1998. The UK GDPR and 2018 Act may provide a more fruitful basis for representative actions yet.

About the Author
Dominic Crossley
View Profile