Introduction
The proliferation of technology has resulted in an increase of data and the use of that data for commercial (and potentially nefarious) purposes, as well as a corresponding increase in the value of that data. Given the value of data, questions arise as to how damages relating to the loss of data and breaches of privacy should be quantified. In particular, when a data owner suffers a loss of data but no corresponding financial loss or injury, how should that breach of privacy be valued? The recent United Kingdom case of Lloyd v Google LLC [2021] UKSC 50 considered this issue in a claim made pursuant to the Data Protection Act 1998, (DPA, c. 29) (the “DPA 1998”).
Background Facts
Mr. Lloyd, a consumer rights activist, sought to advance a representative action (i.e. class action) against Google. The allegations were based upon previous actions commenced against Google in the United States.
Mr. Lloyd alleged that, between 2012 to 2013, Google tracked the personal data of millions of iPhone users in England and Wales as a result of bypassing default settings in iPhone’s Safari internet browser. Mr. Lloyd alleged that this was done by Google for a commercial purpose without the user’s knowledge or consent. Mr. Lloyd sought to bring the representative action on his own behalf and on behalf of four million individual users for the alleged misuse and loss of control of their data, resulting in a breach of the DPA 1998. The claim sought £750 per person for the alleged breaches.
The UK Supreme Court considered, among other things, whether damages are recoverable under the DPA 1998 for “loss of control” of data without any specific distress or pecuniary loss.
Decision
The UK Supreme Court unanimously found in favour of Google and dismissed the claim against them.
The wording of section 13 of the DPA 1998 states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The Court considered the word “damage” and held that this section does not confer a right to compensation for any (non-trivial) contravention of the DPA 1998 and requires a claimant who suffered a breach by a data controller to have sustained “material damage”. Such damage could include financial loss or physical or psychological injury. An individual would be required to prove the extent of the unlawful processing of the individual’s data that caused material damage or distress to the individual. Moreover, the court found there was also a need for individualized evidence of misuse of data under section 13 of the DPA 1998 in order to recover damages.
Mr. Lloyd argued that it was possible to identify an “irreducible minimum harm” suffered by all the claimants which would allow a uniform sum of damages. The UK Supreme Court disagreed with this proposition holding that it is necessary to prove what unlawful processing by Google of personal data relating to a given individual occurred. Consideration of individual circumstances is required, including the period of time, volume of data, whether any sensitive or private data was involved and what use or benefit Google made of the data. Absent evidence on each of these matters, the individual was not entitled to compensation.
Takeaway
The UK Supreme Court’s decision indicates that a successful claim under the DPA 1998 requires proof of distress or financial loss. The loss of control of data by itself, without actual harm, is not compensable. This decision provides helpful guidance on the approach to quantifying data loss cases and will likely be carefully considered by a Canadian court addressing these issues.