Landscape Logo Landscape Logo

I Lose But Not Lose - Confused

  • November 17, 2021
 

The UK Supreme Court has made it harder to claim for data breaches. Companies can therefore lose or misuse your data and face lesser repercussions. 

What has happened? 

On the 10th November 2021, the highest court in the jurisdiction of England and Wales, the Supreme Court provided a long-awaited 60 page ruling in the potentially ground-breaking case of Lloyd v Google LLC. This case was notable because, firstly, it was a claim brought by a representative on behalf of a group in excess of 4 million (yes 4 million) Apple iPhone users. 

Secondly, the claimants bringing the proceedings claimed that without their consent, Google had collected their sensitive data from their respective individual internet browsers, and it had used said sensitive data in what was termed in the case as a ‘Safari Workaround’. If you think this phrase is reminiscent of a jolly drive around a safari park watching the lions and baboons, then you are very much mistaken. This was not a happy matter at all. Google was accused of harvesting information that contained details of websites individuals had visited, their estimated locations and their internet search trends. It was claimed in the case that Google then organises the harvested data into separate groupings, selling it to advertisers to strategically market products to specific groups of customers. 

Thirdly, and arguably most interestingly from a legal perspective, the case was brought under the auspices of section 4 of the Data Protection Act 1998, rather than the General Data Protection Regulation and the Data Protection Act 2018. 

The Supreme Court decided against each Claimant because they could not submit any compelling evidence that they had incurred any ‘actual loss’. 

What does it mean? 

This decision clarifies the need for data subjects to prove financial loss or distress by way of evidence when claiming compensation for infringements of data protection law. This Supreme Court judgment is music to the ears of data controllers who simply ‘lose control’ of sensitive personal data. It seemingly lowers the likelihood of success in such a claim as it will be incumbent on the Data Subject to prove their loss. 

What impact may it have on the legal profession?

This judgment is good news for the profession as lawyers can advise their clients with far greater certainty. Data Controllers now have a favourable judgment to rely on and know where the legal land lies regarding data protection. If there is a one-off loss of control, the courts appear to be willing to adopt a pro-business approach and make allowances for this. However, it is a double-edged sword. Many distinguished law firms have sounded the alarm by speculating that this may create the latest claims culture whereby newly created Claims Management Companies join the crusade to pressurise controllers of sensitive data into settling the respective matter. The concern is that these companies will go on a fishing exhibition in the forlorn hope of discovering evidence of a data protection breach and may charge a small fortune for the privilege of gaining access to a mere copy of their reports. 

There may be a wave of Claimants chancing their arms and attempting to claim their rights under Data Protection legislation have been breached. However, this judgment, combined with the recent case of Rolfe v VWV will give controllers of this data a far stronger hand to fend off a claim. In response to a potential claim, such controllers will now be able to submit by way of a defence that the incident was, in fact a one-off incident or too trivial to be taken seriously as a claim.  

This case also further underlines the advice all businesses should adhere to when it comes to internet security. Firms should ensure they firstly have strong firewalls in place, secondly build in a culture of reporting suspicious data activity, such as links received from unknown senders. Thirdly, they can make doubly sure that data protection provisions are written into all required contracts. 

Assessing Firms

#TLT; #IrwinMitchell #ClarkeWillmott; #KingsleyNapely; #HughJames #BlakeMorgan #Weightmans #Mlls&Reeve #Stephensons #ForbesSolicitors

This Article was Written Using the Following Sources

[Source 1] Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50

[Source 2] The Lawyer – Lloyd v Google: Supreme Court rejects idea of damages for loss of control – 11th November 2021

[Source 3] Loucks Harriet – Lloyd v Google – Supreme Court rejects idea of damages for loss of control – 11th November 2021

[Source 4] Civil Procedure Rules – Rule 19.6 - PART 19 - PARTIES AND GROUP LITIGATION - Civil Procedure Rules (justice.gov.uk)

[Source 5] Section 4 Data Protection Act 1998 

[Source 6] Section 13 Data Protection Act 1998

[Source 7] General Data Protection Regulation 2016

[Source 8] Data Protection Act 2018

[Source 9] Hayllar, Richard – Data Privacy: Collective legal action against Google to proceed – 08th October 2021

[Source 10] Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) - Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) (07 September 2021) (bailii.org)

Written by Jason Connolly