Lloyd v Google

GDPR after Brexit Vasiliki Antoniadou

Vasiliki Antoniadou explains the Lloyd v Google case: The “damage” requirement in a compensation claim for personal data breach

The High Court of Justice issued earlier this month an interesting decision in respect of data breach litigation in the frame of the Lloyd v Google case. The ruling clarified that compensation for infringement of personal data may only be granted if material loss and damage or serious distress and anxiety have been suffered. The court also dismissed the claim for a representative action involving an uncertain number of potentially affected people.

The personal data breach which triggered this decision in the Lloyd v Google case is not new. It rather dates back to 2011-2012, when Google used  the “Workaround” code in order to circumvent Safari’s default blocking of third party cookies. That way they were able to set the DoubleClick Ad cookie on i-phones, without the user’s knowledge or consent, whenever the user visited a website with DoubleClick Ad content. Consequently, Google monitored the online habits of the safari users and collected data related to ethnicity, age, location, interests, religious and political beliefs, education and financial status. Then Google offered the option to its subscribed advertisers to generate targeted advertisements based on the unlawfully collected information.

Interestingly the infringement of personal data was not detested in this Lloyd v Google case, but the judge had to examine the existence of damage required for compensation. Unlike in the similar earlier case Vidal-Hall v Google the claimant, who was a safari user at the time of the event, did not claim distress or anxiety as a result of the data breach. The claimant alleged that damage incurred by reason of Google’s contraventions of the Data Protection Act. However, the court found this claim generic and rejected claimant’s position. It is clear from the above that in order for a compensation inquiry to be successful, it is paramount to provide compelling evidence of harm stemming from the breach.

Moreover, the court dismissed the representative action of the class consisted of the majority of i-phone users in England and Wales at the time of the breach. The reasoning is that the members of the class do not have the “same interest”, as required by law, and it is also not possible to specify the members of the represented class.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

Latest posts by Vasiliki Antoniadou (see all)

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *