Consumers will now have to show that they have personally suffered damage or distress 

The insurance industry will be relieved following the Supreme Court’s judgment for Lloyd v Google yesterday (10 November) which ruled against compensating every data subject in the non-trivial data breach for “loss of control” of personal data.

A ruling against Google could have triggered an avalanche of data claims against the insurance industry. 

The case in question, saw Richard Lloyd sue Google alleging the technology giant was collecting web browsing data from iphone users between 2011 and 2012. At the time, Google claimed that Apple’s default privacy settings on the Safari internet browser prevented this.

The claim alleged that for several months “in late 2011 and early 2012, Google secretly tracked the internet of activity of millions of Apple iphone users and used data collected in this way for commercial purposes without the user’s knowledge or consent”.

The ruling saw the judge deem the claim “officious litigation” as it was “embarked upon on behalf of individuals who have who have not authorised it”.

This means that the main beneficiaries for damages would have been the funders and lawyers.

The judge thought that the representative claimant “should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”.

The judgment said: “No representative action can lie where the sole relief sought is damages, because they have to be proved separately in the case of each plaintiff, and therefore the possibility of representation ceases.”

In response to the ruling, David Cran, RPC partner and head of intellectual property said: “The Supreme Court’s judgment will be warmly welcomed by the insurance market, who following the Court of Appeal’s judgment, was exposed to very significant potential liability arising from data claims, even if no specific damage was shown to have been suffered by any individual.

“The Supreme Court’s judgment has firmly rejected the basis of this class action and many others that were waiting in the wings: it is likely to have a very significant impact on UK industry across many different sectors that handle customer data, as well as the UK legal market, including claimant firms, litigation funders and After the Event (ATE) insurers.”

Meanwhile, DAC Beachcroft’s partner and head of cyber and data risk, Hans Allnutt, said: “It should prevent UK class actions being brought for the mere contravention of data protection legislation.”

Earlier in April, and trade association techUK backed by law firm RPC made a written intervention for the case.

Blow to class action claims

On the flipside of this, there could be a blow to class action claims.

Amy Bradbury, data protection specialist and senior associate in the media and information group at law firm Harbottle and Lewis, said that the Supreme Court “has dealt a blow to class action claims for breaches of data protection rights”.

She added: “Consumers will now have to show that they individually suffered personal damage or distress, rather than relying on a representative claimant winning a lump sum of damages to be divided amongst them. It is expected that the appetite within legal circles for these types of large claims will decrease as a result.”

Greig Anderson partner at global law firm Herbert Smith Freehills warned that the potentially insurable impact is not just about the data class actions.

For example, if the events resulting in a data class action were also to result in knock-on regulatory action, securities claims or derivative claims against directors, directors’ and officers’ coverage will be implicated as may professional indemnity cover for firms or companies that are considered by their customers or clients to be responsible for a data class action against them.

Anderson added: “The difficulty is that the insurance market is already seeking to affirm or exclude cover for cyber risks, which is leaving gaps in cover and the impact of a serious new exposure would have had the potential to widen these gaps, although the issue still remains.”

Pannone Corporate’s data protection lawyer, Patricia Jones, said: “Although the Supreme Court’s ruling in favour of Google was made under Data Protection Act 1998 which is no longer in force, it will make it more difficult for people to seek compensation for a data protection breach when they have suffered no material loss or distress.

”The decision will have implications for the bulk compensation claims that can typically follow a data breach affecting a large number of individuals and impact on the burgeoning data protection claims industry that has grown up.

”There are a number of data protection representative actions which were on hold pending the Supreme Court decision and it will be interesting to see what happens to them.”


Leaving the door open

The judgment has left the door ajar for representative actions to go forward relating to cases for breaches for data protection legislation, according to RPC’s data disputes partner, Rupert Cowper-Coles.

He said: “The rejection of the concept of “loss of control” damages and the requirement that individuals must prove they have suffered damage means that a representative action is unlikely to be a financially viable option for legal advisers and funders in most cases.”

Alnutt added: “The door is still ajar for a class action to be brought to establish the privacy contravention, with each individual then pursuing a claim for compensation.

“However, as Lord Leggatt [judge] noted when handing down the judgment, pursuing individual claims for compensation would not be cost-effective.”

Likewise, Anderson, said: “One of the first questions a business will ask is whether my claim is insured – costs alone of a data class action may be eye watering and, while group data claims remain a threat, a judgment for the claimants would have marked a sea-change in exposure for insurers.”

He explained that the cyber insurance market typically covers data related claims but that it is already “a very challenging environment for policyholders” which is hardening quickly, making it a seller’s market.

Anderson added: “Whilst the door has been left open, it is unclear how the market would have reacted to yet further enhanced exposure had the floodgates been opened, whether by putting up price further, reducing limits or even excluding or withdrawing cover, which has tended to be the approach of the insurance market more generally to emerging risks such as cyber and Covid-19.”

He said he hoped the cyber market will now have the opportunity to stabilise pricing and cover, and thus remain a realistic risk transfer option for policyholders, with a “wait and see approach” to whether claimants will seek to bring representative actions to establish liability as part of two stage process.

Alain Orengo, Plexus Law’s partner said: ”Whilst the outcome of this decision will be a bitter disappointment for many iphone users and privacy campaigners, it will be a welcome result by many insurers who feared a deluge of claims.

”The court appears to have been persuaded by the mass nature of the litigation. However, the judgment has left the door ajar, as there would be a ’real chance of success’ for individuals to bring their claim if they could demonstrate that any failure has caused ’material damage or distress as a result of a breach’.”

Although Anderson said that currently possible exposure will be hard to project.