Our offices are closed between Christmas and New Year, click to see our opening times.

Find out more

Lloyd v Google - landmark decision finally been handed down by the Supreme Court

Published: February 18th, 2022

7 min read

The hugely anticipated landmark decision in Lloyd v Google has finally been handed down by the Supreme Court, which has refused Richard Lloyd (the claimant) permission to serve a representative action on Google (the defendant), estimated to be valued in the region of 3 Billion.

The Case

In this case a large number of claimants had their browser generated information taken without their consent. A class action was brought arguing that they were all victims of the same alleged wrong and had all sustained the exact same loss. The claimant, Richard Lloyd sought to bring a US-style 'opt-out' class action against Google in the English courts, relying on the representative claims procedure set out in Civil Procedure Rule (CPR) 19.6. He sought to bring his claim on behalf of around 4 million people, seeking a set amount of damages for each claimant, without them having to 'opt in' or prove damage for each individual, which he argued would significantly reduce the complexities and cost of the claims.

In October 2018, the High Court refused permission for this, finding that Lloyd's claim failed to identify a basis for the members of the represented class to claim compensation under the DPA, holding that the claims had no prospects of success as there had been no proven pecuniary loss or distress. The claimant was not therefore permitted to continue as a representative class action.

Lloyd appealed, and on 2 October 2019 the Court of Appeal allowed the appeal, holding that damages can in fact be awarded for loss of control of data under section 13 of the Data Protection Act 1998, even when there had been no pecuniary loss or distress.

The Judgment

The Supreme Court held that damages for the loss of control element of the breach, brought under S.13 of The Data Protection Act 1998, could not be awarded unless there was some actual proof by each individual claimant that the breach had caused them material financial damage or distress. It decided that it was not appropriate for the claimant to pursue the claims using the representative procedure under CPR 19.6, as an individual assessment of damages would be required on a claimant-by-claimant basis, thus taking it outside the scope of CPR 19.6.

The claimant argued that each claimant should be awarded the lowest common denominator of damages, i.e. £750.00 each. The court rejected this argument on the basis that if those damages were permitted, the individual claimant's pleadings would not even pass the minimum threshold.

Future Claims

Whilst the judgment is damning to Claimants bringing class actions against organisations, it does not necessarily mean that all data protection breaches for group actions will fail. It should be noted that the claim in Lloyd v Google was brought under old legislation set out in DPA 1998, which is now obsolete, having been replaced by DPA 2018 /GDPR. The Court did not specifically rule on whether the claims would stand under the new legislation, in particular, Article 82 of the GDPR, which permits compensation for non-material damage. The door remains slightly open as to whether an 'opt-out' group claim could still succeed under the new DPA 2018 /GDPR legislation.

The Supreme Court suggested that Lloyd's claim should now be pursued using a two tier approach:

  1. Lloyd should first issue proceedings to establish liability on the part of Google

  2. Following that decision, individual claimants could then issue secondary proceedings to determine their individual damages.

Although we don't deal with class actions here at Forbes Solicitors, the emerging case law shows that the courts are still willing to award compensation for the loss of control of data of an individual, where it can be shown to have caused them material financial damage or distress. Many cases will fall into the small claims jurisdiction where legal costs are not generally recoverable, making them uneconomical to run.

If however your personal and sensitive data and information has been incorrectly sent out by an organisation to the wrong address, either by e-mail or post, you may have claim for damages.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

Please note that our offices will be closed from midday, Friday 20th December 2024

The offices will be open as usual on Monday 23rd December 2024.

The offices will then be closed from Tuesday 24th December through to Wednesday 1st January (inc), reopening as usual from 2nd January 2025.

The emergency contact number during this time is - 01772 220022 or 01254 675050.

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.