*To read our full analysis of this judgment, please click here*
The Supreme Court has today unanimously allowed Google’s appeal against a Court of Appeal judgment that would have allowed a representative action to be pursued against Google by approximately 4 million iPhone users in relation to Google’s unauthorised collection of their data.
The Supreme Court has relied on two main grounds:
(i) that claims for compensation under section 13 of the Data Protection Act 1998 require damage to be suffered before there is an entitlement to compensation. The Court said that on a proper interpretation this meant financial loss or distress caused by the contravention.
(ii) in order to calculate damages it was necessary to look at how long Google had been collecting the data, the quantity of data involved, whether the data was sensitive/private, the use made of the data and the commercial benefit that was derived from using it. In the absence of this a claimant was not entitled to compensation. The Court said that the claimant’s attempt to pursue a claim without this information was unsustainable and the claim could not succeed.
A cause for celebration for companies handling data
Today’s outcome will be cause for celebration for Google and any organisation that handles significant amounts of data or bases its business model on the use of personal data (as well as their shareholders and/or insurers).
Had the Supreme Court upheld the Court of Appeal’s judgment we could have faced a situation where effectively every data breach could have led to US-style “opt-out” class actions.
The Court has also made some helpful comments about what claimants need to establish before they can pursue a claim for compensation. These are very likely to assist businesses and their insurers in defending all forms of data breach claims.
A detailed note of today's judgment will follow once the judgment has been reviewed.
BLM's data breach unit
BLM’s Data Breach Unit provides the essential support to those businesses facing claims resulting from:
the accidental loss of data,
unintentional misuse of data,
unauthorised or misdirected e-communications, correspondence and direct marketing.
We also support organisations experiencing more significant incidents involving the theft of data and cyber-attacks, including ransomware or major incidents involving the accidental loss of data.
Click here to find out more.