The Supreme Court’s unanimous decision in Lloyd v Google  UKSC 50 to allow Google’s appeal is hugely significant for data protection on various levels. There are real issues around how any representative action based on data protection breaches could now be constituted – something which seriously limits the prospect of legal challenges based on underlying business models, as opposed to individual breaches of data protection law. We will return to that in a future Data Brief. For now, we want to focus on the other significant findings – that damages for breach of the Data Protection Act 1998 are not available for loss of control alone, but only for material damage and for distress.
The Supreme Court affirmed that loss of control can be a head of damage in misuse of private information (“MPI”) claims. But as regular Data Brief readers will know, the scope for MPI claims in data breaches by third parties is limited, so that will not always come to the rescue of data subjects. Combined with a robust approach to the de minimis principle on distress (as set out in Rolfe, discussed below), the fact that damages do not lie for the fact of a breach alone is likely seriously to limit the viability and value of individual claims by data subjects where there has been a breach, but no real consequences beyond mild concern or pique.
Lord Leggatt (giving the only judgment) made clear that he was not considering the position under GDPR/the Data Protection Act 2018. But it seems likely that the same principles will apply, given the wording of Art 82 (UK) GDPR and s.168 Data Protection Act 2018.
A monthly data protection bulletin from the barristers at 5 Essex Chambers