Judgment round up: Lloyd v Google LLC

Yesterday the Supreme Court issued its eagerly awaited judgment in the case of Lloyd v Google.

The Supreme Court received submissions from the Information Commissioner, as well as a handful of other interested parties including the Open Rights Group and the Internet Association, which demonstrates the potential ramifications of the judgment.


In 2011 and 2012, Google allegedly tracked the internet activity of several million iPhone users, without their consent. It did so by bypassing privacy restrictions within the iPhone’s Safari web browser to install a cookie for Google’s ‘DoubleClick Ad’ advertising service. The cookie then allowed Google to identify when the device visited any website displaying an advert from Google’s advertising network, as well as how long a user spent on different webpages. It is alleged that Google was, as a result, able to collect a vast array of information about a user and their preferences, for example their race, ethnicity, sexual interests, gender and religious beliefs.

In response to Google’s internet activity tracking, Mr Richard Lloyd (the “Claimant”) issued a claim for breach of the Data Protection Act 1998 (which pre-dates the current data protection legislative framework). He issued the claim on behalf of himself and all other iPhone users within England and Wales between the relevant dates, whose personal data was obtained by Google without consent through Google’s DoubleClick Ad cookie.

The suggested damages were £750 per user, which was roughly estimated to amount to total damages of £3 billion. The financial consequences of the judgment therefore could have been staggering.

The Claimant required the Court’s permission to serve the claim on Google out of jurisdiction. Google had contested the application for permission, on the grounds that the claim had no real prospect of success.

The High Court found in favour of Google and refused permission for the Claimant to serve the claim. The Court of Appeal subsequently reversed this decision, causing Google to appeal to the Supreme Court.

The Outcome:

The Supreme Court allowed the appeal in favour of Google and refused the Claimant’s application for permission to serve proceedings out of jurisdiction, for the following reasons:

  • Under the Data Protection Act 1998, damages are not available for loss of control of personal data, and instead the data subject must demonstrate material damage or distress.
  • The Claimant sought to demonstrate uniform losses across the class based on each user’s loss of control of their personal data. Ultimately, even if the Supreme Court had allowed damages for loss of control, it disagreed with the underlying assumption that each user would have suffered the same damage, and therefore had the same interest. Instead it required the opportunity to identify and assess the individual circumstances of all data subjects within the class. As an example, some users may have lost control of very little personal data (potentially limited to a single visit to a single webpage), while other users may have lost control of a great deal of personal data (including sensitive data revealing details of their personal situations).
  • The Supreme Court did however open the door for a “bifurcated approach” to similar claims in the future, whereby a class action could be brought to establish a breach of privacy legislation, with damages then being determined by separate individual assessments. However the Court noted that the Claimant had not proposed a bifurcated approach in the current case.

Key takeaways

The claim was for a breach of the Data Protection Act 1998 and the Court did not confirm how its findings apply in relation to the UK GDPR and Data Protection Act 2018 currently in force. As a result, the judgment has not ruled out the ability to bring a successful claim for damages on the basis of loss of control of personal data under the current data protection regime. However, it has definitely created a high threshold that must be established if such a claim were to succeed, as any claim under the current framework would need to differentiate itself from the precedent set by the Lloyd v Google judgment.

The outcome is undoubtedly a positive one for a huge number of businesses which collect and process personal data on a large scale. It is easy to see the speed at which potential damages could multiply if claimants are not required to identify the damage suffered by each individual data subject within a class. A different outcome may well have left businesses more reluctant to invest in innovation which involves the processing of significant quantities of personal data, due to an increased risk of substantial compensation claims.

For more information please contact the Data Protection Team.

Send us a message