Global Data Review published an article reporting on the Lloyd v Google judgment, including an analysis of the case and its implications on the future of data protection.
Kingsley Hayes, Head of Data Breach, commented:
“The claim of Mr Lloyd was of course brought under the “old regime” of DPA1998. Article 82 of GDPR which confers the right to claim compensation for non-material damage since 2018 is in that respect similar to S13 so there should be no real distinguishing factors there.
The essence of the Supreme Court judgment is that in order to claim for a “breach” of your data protection rights, or loss of control of your data, there must be some accompanying loss to that incident, either financial or by way of distress. There is a significant stream of decisions on distress but in reality that distress has to be more than mere upset at losing the control of that data, it should be quantifiable distress. Where you have either of those elements damages should be capable of being obtained.
The additional view is that the Misuse of Private information by a data controller, that Misuse having been described elsewhere as a positive act to Misuse the data or indeed as recently successfully argued by Keller Lenkner in the Ticketmaster litigation, a reckless act by the Defendant will also allow access to “user damages” or damages for loss of control of that data following the Vidal Hall principles.
Both of the above decisions are totally aligned to the case strategies that Keller Lenkner have utilised in the litigation it pursues to date and beyond this date.
The issue of how you bring “mass claims” has also been dealt with by the Supreme Court with the use of the 19.6 CPR Representative Claims procedure having a veil drawn on it in so far as claims relate to this area and the evaluation of both liability and quantum but the door is ajar to claims on a Representative basis for liability only evaluations with a potential declaration for damages.. This could be a useful tool where information about breaches is relatively technical and unavailable but building a substantive book of business at cost may be prohibitive without that decision.
The utilisation of the PECR Regulations 2003 (link to a useful ICO summary below) in tech claims is going to be a key battle ground. Breaches of these regulations do lend themselves to claims for an account of profits made from the use of and breach of the data, this could be a significant threat to Tech companies moving forward, particularly where they utilise location and identity related data.
Group litigation very much seems to be the direction of travel in this area and far from being the purported “death knell” for data claims the clarity brought by this judgment will assist greatly with the direction of travel for holding data controllers to account.”
Kingsley’s comments were published in Global Data Review, 10 November 2021, and can be found here.