Data protection representative actions: door slammed shut or door ajar?

Ramifications of the Supreme Court's decision in the Lloyd v Google litigation.

The long-anticipated Supreme Court decision in Lloyd v Google [2021] UKSC 50 was handed down on 10 November 2021. Reversing the decision of the Court of Appeal and reinstating the first instance decision of Warby J, the Supreme Court held that Richard Lloyd could not pursue a damages claim as representative of the class of individuals affected by Google's alleged breach of the Data Protection Act 1998 in relation to the so-called "safari workaround". The reasoning is involved, and the Judgment bears reading in full. In essence, however, the court held that establishing a right to damages for breach of the Data Protection Act 1998, and quantifying those damages, involved a claimant-by-claimant analysis that, in each case, must identify the breach affecting that claimant, the loss suffered by that claimant, and the causal connection between breach and loss. The claims were accordingly unsuitable in principle for a representative action. The Judgment also addressed in some detail the nature of damages for breach of data protection legislation, and the nature and scope of representative actions under CPR 19.6.

In this episode we explore some of the ramifications of the decision through a scenario involving a data breach at an online marketplace.

The Judgment may be found here, and a press summary here.
(c) 2020, Matthew Lavy & Iain Munro