In Perspective: Supreme Court issues judgment in Lloyd v Google LLC

What happened

• From August 2011 to February 2012, Google is alleged to have installed software on Apple iPhones by bypassing protections within the device’s Safari web browser (i.e. the ‘Safari Workaround’).
• This allowed Google to track these iPhone users across websites, and to collect information about their internet usage and browsing habits.
• Mr Lloyd issued a representative claim for damages for breach of the Data Protection Act 1998, on behalf of himself and all those allegedly affected by the Safari Workaround. This is known as a representative action.
• A representative action is a process by which a claim can be brought by or against individuals as representatives of others who have the ‘same interest’ in the claim.
• Mr Lloyd argued that the affected individuals could claim damages for ‘loss of control’ over their data, uniformly, without the need for individual assessments of damages.
• Google argued that the conditions of a representative action had not been established because the affected individuals had varying entitlements to damages and ‘loss of control’ damages were not available in English law.
• Mr Lloyd lost in the High Court, won in the Court of Appeal and has now lost in the Supreme Court.
• The Supreme Court found that a claim for damages for the unlawful processing of data under the Data Protection Act 1998 requires proof of damage in the form of either material damage (such as financial loss) or mental distress. The damage could not simply be the unlawful processing itself or ‘loss of control’.
• The court also stated that it would need to consider the extent of the unlawful processing in the individual case in order to rule out that the damage was more than just trivial (and therefore potentially subject to a compensation claim). This is not possible in a representative action.

Why it matters

• Whilst privacy campaigners may be frustrated by this decision, data controllers can breathe a sigh of relief after hearing the court’s reasoning. The threat of a costly representative action following a personal data breach is not on the horizon.
• This case serves as an important reminder that in order to claim compensation for a non-trivial personal data breach, proof must be shown of material damage or distress. The contravention itself is not enough – i.e. the ’cause’ must have an ‘effect’.
• It is also important to note that this case was brought under the Data Protection Act 1998 rather than its successor, the GDPR.
• The GDPR explicitly mentions compensation being available in material damages and non-material damages.
• Recital 85 also states that a ‘loss of control’ over personal data is an example of possible damage resulting from a personal data breach.
• Therefore, this may leave the door open for future claims of a similar nature under the GDPR.

What happened

• A patient in a hospital in Finland requested access to their medical record.
• The hospital provided this information apart from some x-rays and MRI scans.
• The hospital explained that this information would have to burned onto a CD and could not be printed. Therefore, the patient would have to pay €25 to access this data as it entails an administrative burden on the hospital.
• The patient complained to the Finnish data protection regulator who ruled that the hospital must provide this information free of charge.

Why it matters

• Article 15 of the GDPR allows for individuals to request a copy of their personal data from a data controller.
• In most cases, this should be a free of charge service.
• However, where a request is considered manifestly unfounded or excessive or where the requestor requests for additional copies of their personal data – then a charge can be levied to reflect the administrative costs associated with fulfilling the request.
• This case shows that the mere copying of information onto a CD would not meet this threshold and the information should be disclosed free of charge.
• The Finnish data protection regulator additionally states that as part of meeting ‘data protection by design’ requirements within the GDPR, businesses should consider measures to ensure information can be provided free charge in order to be able to comply with an individual’s right to access their data.   

What happened

• Stor-a-file Limited provides document management solutions for a number of different businesses. This includes Lister Fertility Clinic.
• The company was subject to a ransomware attack which meant that confidential personal data was potentially accessed and shared on the ‘dark web’.
• Affected individuals have been contacted by Lister Fertility Clinic and the UK’s data protection regulator, the Information Commissioner’s Office, has also confirmed that it is making enquiries.

Why it matters

• A ransomware attack can be defined as a personal data breach if it involves the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
• Article 32 of the GDPR requires data controllers and data processors to ensure they put in place appropriate technical and organisational measures to keep personal data secure.
• This includes controls such as encryption and firewalls.
• Additionally, Article 28 of the GDPR requires data controllers to routinely examine the practices of their suppliers (i.e. their data processors) to ensure they are adhering to their information security obligations.