The Supreme Court has dismissed a claim by Richard Lloyd, a former director of Which?, against Google for unlawfully tracking the internet usage of over four million iPhone users.

The Court’s decision was hotly anticipated and is an important win not only for Google and the tech industry, but for all organisations handling customer, user, employee or any other personal data in the UK.

The immediate takeaways from the judgment are as follows:

1. both of Mr Lloyd’s key arguments were rejected. The Court held that (a) there is no right to damages under the DPA 1998 for mere “loss of control” of personal data without proof of financial damage or distress and (b) Mr Lloyd could not sue on behalf of all affected iPhone users because their interests in the case were not the same and would have to be assessed individually;
2. the judgment severely limits the recoverability of damages for data protection breaches under the DPA 1998 (as for the GDPR, see below) and will put the brakes on a number of high profile pending data breach class actions and probably thousands of smaller claims. It is also consistent with the tech-friendly theme of the Government's recent proposals for data protection reform post Brexit and a general trend towards a more pro-business data privacy regime in the UK;
3. the decision will come as a particular relief to the tech industry, but a blow to data subjects seeking redress for perceived data privacy breaches. In this case, Google was alleged to have secretly and deliberately unlawfully obtained and used private information for commercial gain, as compared to incidences of accidental data loss, cyber attack, or oversights in policies and controls that have featured in other cases. Despite this, the Supreme Court disagreed with the Court of Appeal’s previous ruling that all affected individuals were arguably entitled to a minimum amount of compensation;
4. however, an important question remains unanswered – would the analysis be the same for a claim under the GDPR? Google committed the alleged misconduct before the introduction of the GDPR and the claim was therefore brought under the DPA 1998. Given the very different use of language within the two sets of legislation, it is by no means certain that the Court’s analysis would be the same for a GDPR-based claim; and
5. the Court hinted at other ways claimants and funders could nonetheless pursue mass claims. Several claims are also still pending against big tech companies like Apple, Google and Qualcomm in the UK Competition Appeal Tribunal, which have been given significant momentum by a separate recent Supreme Court ruling in Merricks.

Over the coming weeks, we will be publishing a series of short posts exploring these points in more detail and examining the practical implications of the judgment for collective actions in England & Wales and data protection best practice under the UK GDPR.