David Edwards and Charles Mather from our Regulatory & Compliance team look at a recent Supreme Court judgment on a data protection case involving Google, and the implications for individuals and businesses.
What’s the background to the case?
Consumer rights activist Richard Lloyd brought a representative claim against Google for alleged breach of its duties as a data controller under the Data Protection Act 1998 (DPA 1998).
The claim alleged that Google had tracked the internet activity of an estimated 4.4 million Apple iPhone users between 2011 and 2012 and used their data for commercial purposes without the users’ knowledge or consent. Lloyd argued that the users should be compensated for the ‘loss of control’ of their data.
The Court considered whether or not section 13 DPA 1998 allows for a claim for compensation for the loss of control of personal data, without the need to show material damage (e.g. financial loss) or distress.
Proving section 13 damage
The wording of section 13 DPA 1998 shows that individuals have a right to claim compensation if they have suffered damage because of a controller’s breach of its obligations under the Act. Lloyd argued that, for the purposes of the Act, and in addition to material damage and distress, damage should be interpreted to include loss of control.
Ultimately, the claim was unsuccessful due to the failure of the representative element of the action. However, the Court concluded that it could not reasonably interpret section 13 damage as giving individuals a right to compensation for mere loss of control of their data where they cannot prove material damage or distress, also.
Why does it matter?
If you or your business process personal data, the case shows that a mere loss of control of personal data is unlikely to be cause enough for a successful claim against you.
If you’re an individual, and a data controller has breached its obligations under the Act and lost control of your data, it will be difficult to bring a successful claim against the controller unless you are able to show that, as a result of the controller’s loss of control of your personal data, you have suffered material damage and/or distress.
However, it should be remembered that, had the claim been made under UK GDPR, as opposed to the DPA 1998, the conclusion may have been different.