Legal experts have delivered their verdict on this week’s ruling which rejected a £3bn class action against Google, with most agreeing it will make group compensation claims much harder under the current data protection regime; but the Government could find itself under pressure to change the law.
The long-running case, brought by former Which director Richard Lloyd, has been through the High Court, the Court of Appeal and now the Supreme Court.
Following the ruling, Lloyd said: “We are bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other big tech firms who break the law. Although the court once gain recognised that our action is the only practical way that millions of British people can get access to fair redress, they’ve slammed the door shut on this case by ruling that everyone affected must go to court individually.”
Christina Henry, a senior associate in the litigation practice at media, technology and IP law firm Wiggin LLP, believes the judgment is welcome news for businesses.
She said: “The Supreme Court has today clarified that compensation for a contravention of data protection law (albeit pre-GDPR) in and of itself cannot be awarded. There must be damage (of some sort), which needs to be assessed and proved on an individual level. For businesses this is good news: the potential onslaught of mass class actions in a data protection context has been held at bay.”
Gareth Oldale, head of data privacy and cybersecurity at UK law firm TLT, agrees. He commented: “Any organisations processing large volumes of personal data would have had a lot riding on this decision, as the theoretical value of damages awards for data protection representative actions is enormous and could even run into the billions for larger claims.
“The decision to allow the appeal will likely prompt those that have already filed large data protection class actions against businesses in the tech, financial services, retail, and hospitality sectors to reconsider their position and strategy. It does not mean that claims will disappear overnight, but this judgment does present a significant barrier to large groups of individuals bringing consolidated claims against a common controller.”
Oldale says that one of the key factors in the case was the question of whether or not a uniform sum of damages can be awarded to each member of the represented class without the need to prove any facts particular to that individual.
He added: “Are damages payable in a case where the claimant does not prove either what unlawful processing of personal data occurred or that the individual suffered material damage or mental distress – is ‘loss of control’ of the data sufficient to give rise to damages being payable? The Supreme Court has resoundingly concluded that this approach is ‘unsustainable’.”
Big tech companies like Google, and other large institutional organisations such as banks, retailers and multi-national groups, will all take comfort from this judgment, Oldale reckons. But with a well-established group of claims management companies in the UK committed to pursuing data breach claims en masse, the most important question now is not whether they will desert this market, but rather how they will change their litigation strategy to continue pursuing claims on behalf of their clients.
Oldale concluded: “Data controllers would be well advised to review the judgment carefully, and consider how it will impact on their approach to managing data breach claims and complaints moving forwards.”
Even so, Mishcon de Reya partner Adam Rose maintains that the decision could influence the current Government consultation on data reforms, Data: A New Direction, being handled by the Department for Digital, Culture, Media & Sport (DCMS).
He commented: “There will undoubtedly still be good arguments, particularly under the new UK GDPR framework, that will permit certain group actions to proceed, and cases where an infringement of data protection law is such that compensation will be appropriate.
“The judgment passes the baton both to Parliament and to the Information Commissioner. For Parliament, it may be the case that legislation is required to enable opt-out claims under data protection law to be made more easily.
“For the Information Commissioner, there is now a pressing need for more robust enforcement action for wilful and mass-scale infringements of the law and to ensure that data subjects are afforded the effective judicial remedy, which is the promise of UK GDPR and the present data protection framework.”
Related stories
Supreme Court rejects £3bn data claim against Google
Data reforms could lead to Govt meddling, ICO warns
Privacy group slams ‘bonfire of rights’ in data reforms
Will tougher fines bring victory in nuisance call war?
How will UK data reforms hit the marketing industry?
Govt reforms to axe Information Commissioner’s role
Critics round on overhaul of data law; Daily Mail rejoices
Govt plots major data law shake-up steered by NZ chief