Google ruling is good for public sector, businesses and non-profits

The UK Supreme Court ruling rejecting a claim against Google is good news for businesses, public bodies such as schools and non-profit organisations facing heavy-handed claims for nominal data breaches.

Google rightly suffered multi-million dollar administrative penalties and fines as a result of its having secretly tracked the internet activity of millions of Apple iPhone users for some months in 2011-2021 and used the data collected in this way for commercial purposes without the users’ knowledge or consent.

The recent action brought by Mr Richard Lloyd, a former executive director of consumer watchdog Which?, went much further. He attempted to make himself the “representative” of some four million people resident in England and Wales who owned an Apple iPhone at the relevant time, whose data were obtained by Google without their consent, and to be entitled to recover damages on behalf of all these people (whether they knew of his existence or not.) He estimated damages at a flat £750 per head, putting Google potentially in the frame for over £3 billion in damages.

In rejecting this approach, the Supreme Court took the opportunity to make clear that just because a data controller has contravened data protection law this does not mean a windfall payout for all data subjects who may have been affected by that breach “without proof of material damage or distress”.

The fundamental principle that anyone claiming damages for breach of their rights has to prove they have suffered loss had, in the past, been glossed over or ignored in the area of data breach claims.

Specialist data protection lawyer Susan Hall, a partner with Clarke Willmott LLP, said: “This ruling should be applauded as a bit of sanity in an area where we have seen a large number of organisations facing claims for minor data breaches.

“There has been a rise in actions against businesses, schools, social housing providers and charities fuelled by ‘no win, no fee’ legal firms who are encouraging claims to be brought for very minor data breaches, without clarifying how their clients have suffered loss as a result, and threatening High Court action if payment is not made.

“In the detail of this ruling the Supreme Court has made a distinction between a minor contravention of a requirement of the act by a data controller and an incident where someone has genuinely suffered damages.

“Of course, all data breaches should be avoided and it’s important for all organisations to put in place robust data protection measures and limit the amount of data they hold. Furthermore, all reports of breach need to be rectified promptly. But it is only when a person suffers some tangible and quantifiable damage as a result that it should be the subject of litigation. An apology and putting the breach right is usually sufficient for inadvertent and minor breaches.

“Organisations receiving long letters of claim from law firms demanding payment of compensation for data breach where, perhaps, the breach is nothing more than their having accidentally sent out a bill to ’14 Acacia Avenue’ and not the correct address of ’41 Acacia Avenue’ may panic and agree to settle for a low sum in compensation plus ‘costs to be agreed’. However, the costs element can often be ten times the amount claimed in compensation, leaving them out of pocket to the tune of five figure sums.

“The law firms making these claims often rely on organisations fearing court action and making settlements without the breaches being tested in court.

“With the emphasis now rightly back on serious cases where genuine loss or damage has occurred it should free up the system and hopefully mean the end of some of the “pile em high” data breach claims firms that have set themselves up in the UK.”

Clarke Willmott is a national law firm with offices in Birmingham, Bristol, Cardiff, London, Manchester, Southampton and Taunton.

For more information visit www.clarkewillmott.com