Reset, Refresh, Return, Revitalise

Good news for Google - Data Breach and entitlement to Damages

A recent case has injected some realism into the developing compensation culture when it comes to recovering damaged for a breach of the Data Protection Act 2018.

This was a case which related to the “Safari Workaround” in which Google allegedly used a DoubleClick cookie technology on the iPhone Safari browser to gather information about iPhone users browsing history without their knowledge and without their consent.  This took place back in 2011-12, long before GDPR was on the agenda, so the claim was brought under the Data Protection Act 1998.

The claimant in this case, Mr. Lloyd, brought a class action, which he considered could include several million users.  His intention would appear to be that he would be successful at first instance and would then secure some sort of compensation pot allowing others within this class of people (being iPhone users who used Safari when browsing in 2011 – 12) to come forward with their claims (sounds a bit like PPI doesn’t it?).

The basic argument being run by Mr. Lloyd was that as Google had (as claimed by Mr. Lloyd) breached their obligations in terms of the Data Protection Act 1998, then the individuals affected are entitled to some form of compensation.  Mr. Lloyd was not suggesting that he suffered any financial loss as a result of the alleged breach and equally could not point towards any sort of distress or injury to feelings, but more he was looking for some sort of penalty to be imposed on Google by the mere fact of their alleged breach.

The claimant sought to raise his claim through the English courts and when it was considered, the first question to address was whether or not there was a stateable claim that had reasonable prospect of success.  The court looked beyond just the question of breach and considered whether or not there was actually any entitlement to damages.

The starting point was the terms of the Data Protection Act 1998, in particular section 13, which is a 2-stage process:  (1) was there a contravention of the DPA, and (2) as a result of that contravention, did the claimant suffer damage.

Mr Lloyd’s claim fell down at the second hurdle as he could not point to any particular damage that he had sustained.  Whilst the Data Protection Act 2018 is slightly wider, as it allows non-financial loss, including injury to feelings, this case would suggest that there needs to be actual evidence.

It was nice to read from the judgement of Justice Warby that “I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party…”

Any claimant hoping to recover compensation requires to set out very clearly the way in which the financial losses and any other non-financial loss are directly attributable to the contravention or breach.

It is not known yet whether Mr. Lloyd will appeal this decision, so it may not yet be an end to the matter, however hopefully this case will be regarded as a demonstration that the courts will take a sensible and realistic view of any compensation claim relating to a breach of the Data Protection Act 2018.

If you are concerned about individuals making claims against your organisation, or have any other data protection issues, then feel free to speak with our Data Protection Team.

The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.

Sign up to our News & Insights!