Data protection specialists (including myself) have thoroughly debated about the legal issues argued in this case, and I anticipate an “avalanche” of articles in which we all will provide details of the facts of the case, comment on each of the legal arguments considered by the Supreme Court and share our conclusions.
Today I share my initial thoughts after a first reading of what I believe is, in the context of awarding compensation for damages, a fair and well-reasoned judgement. This case is not only relevant to companies providing services of the kind of those provided by Google but also to any company using cookies and tracking tools that capture personal data due to an increase of the number of claims brought in relation to this type of data processing.
While there are other interesting points to take from this Judgement, my initial thought concerns what I have discussed the most with clients: Are individuals entitled to receive compensation for any (non-trivial) data protection related breach without the need of proving the damage caused, just for the commission of the wrong itself? According to the Supreme Court, no, they are not. Not “just” for the commission of the wrong itself, and not in “any” case. I (very briefly) summarise below the rationale behind the Supreme Court’s approach.
Bur first, moving slightly out from the scope of the Lloyd v Google case, I note that the arguments detailed and accepted by the Supreme Court in this Judgement will help organisations that work hard to “get things rights”, to defend themselves from claims that are most likely to end up being considered based on unjustified grounds or unproved facts. Curiously, in these circumstances, I have witnessed a high level of distress and anxiety on those individuals who are responsible for the company against which the claim is brought. Distress that ends up not being compensated. I refer to claims where claimants (with all due respect) not only do not provide evidence of the damage caused by a contravention of the data protection law, but also seem to actively take steps to make the placement of cookies on their devices happen, so their personal data is unlawfully processed (with a fewer or greater degree depending on the case). This would have been a “easy money win” game that to date it was becoming a trendy habit and which now, after this Judgement, might be brought to a fair and balanced position in which claimants will be awarded with compensation where there is a damage to compensate caused by an infringement of the data protection law, or a misuse of their private information, all of which will most likely be considered in the evidenced circumstances of each case.
Where a claimant seems to be “keen” to allow the use of their personal data under this context to systematically issue, let’s say, by way of example, in the range of 10 claims for compensation per week, it is also arguable whether there is room to apply the rule of mitigation according to which, in a tort law scheme, a claimant might not be entitled to compensation if they did not take reasonable steps to mitigate the damage.
Defendants of these type of claims may wish to consider the following arguments set out by the Supreme Court in Lloyd v Google:
If a claim is based on the grounds of compensation for misuse of private information, compensation might be granted without the need to show a material damage or distress. However, for this to happen it is necessary to show that there is a reasonable expectation of privacy, as a necessary element of the claim. If there is a reasonable expectation of privacy the elements of such a reasonable expectation of privacy will be considered in the circumstances of each case. The Supreme Court  reminds how this matter was considered in the Murray v Express Newspaper plc case. In that case, consideration was given to factors like: “attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher”.
Also, in the context of a claim is based on misuse of private information it is acceptable to consider “user damages” to seek compensation from loss of control over an asset that is commercially valuable. In a data privacy context, this would be data that has been proved to have a value. There is no doubt (as the Supreme Court rightly points in this case) that information about a person’s internet browsing is a commercially valuable asset. However, there are elements that must be analysed to determine the extent to which (if any) compensation is granted based on the extent of the unlawful processing in the circumstances of each case, which will depend on factors such as the amount and nature of data processed, how the data was unlawfully used, or what the commercial benefit obtained was (if any – for which a valuation exercise must also been carried out). A key element will be to find out what fee a person providing their data would have negotiated with the company using it. In Lloyd v Google, the Supreme Court  confirmed that “for a licence to place a DoubleClick Ad cookie on an individual user’s phone as a third party cookie without releasing Google from its obligations not to collect or use any information about that person’s internet browsing history”, such a licence would, in practice, have no value. I can see similar conclusions in a considerable number of cases.
If a claimant seeks compensation for distress under Section 13 of the former Data Protection Act 1998 (the “Act”):
- the right to compensation provided under Section 13 (1) is for damages that must occur by reason of a contravention of the Act, damages which in this context -whether material or not- must be proved. The contravention of the law itself must not be interpreted as a damage.
- In this context the Supreme Court found not acceptable to discuss loss of control over the data because none of the requirements of the Act is predicated on “control” over personal data by the data subject; and
- The Supreme Court also reminded that according to the Act, there will be no entitlement to compensation under these grounds if the controller proves that it took “such care as in all the circumstances was reasonably required to comply with the requirement concerned” .
The above is aligned with our current data protection regime (article 82 of the “UK GDPR”) and there is no doubt that the right to privacy and protection of personal data must be put first by organisations processing personal data (whether by using tracking tools or by any other means). As we already know, organisations should work towards complying with the data protection obligations placed on them as an ongoing process in which achieving best standards of compliance (and demonstrating what has been achieved so far and what is planned to build achieved standards up to a level) is a must to ensure compliance and mitigate risks. But then, in these circumstances, and in the context of a non-trivial breach, it is most likely that compensation will not be granted to individuals.