Supreme Court rejects data misuse class action

Today the Supreme Court has dismissed an application by Richard Lloyd, a consumer protection campaigner seeking to bring a claim against Google on behalf of a class of more than 4 million iPhone users.  It is alleged that Google secretly tracked some of their internet activity in 2011-12, and used that information without the iPhone users’ consent for its commercial benefit.  Such action potentially breached data protection legislation in force at the time - the Data Protection Act (DPA) 1998, since replaced by UK GDPR and the Data Protection Act 2018.

Because Google is based overseas, Mr Lloyd needed the court’s permission to serve proceedings under the court rules.

Google contested the application to serve proceedings on it.  First on the ground that the claim had no real prospect of success because the damages claim against it had been framed without proof of actual damage or distress to individuals and second because of limitations on how such “representative actions” can be brought under the court rules.

The High Court decided in Google’s favour, a ruling later overturned by the Court of Appeal.  The Supreme Court has now allowed Google’s appeal on the basis that:

  1. a proper interpretation of section 13 of the DPA 1998 requires proof of “damage” to each individual, such as financial loss or mental distress.  Proving that the DPA had been breached without also proving such damage was insufficient;
  2. it was also necessary to prove what unlawful data processing had occurred in relation to each individual.

Whilst the judgment also confirms the flexibility of the representative action procedure in a range of scenarios, it also highlights a number of other legal and practical difficulties with the claim against Google as framed. For example, when considering whether damages claims under DPA 1998 should be influenced by case law on damages for misuse of private information the court commented:

“Stripped to its essentials, what the claimant is seeking to do is to claim for each member of the represented class a form of damages the rationale for which depends on there being a violation of privacy, while avoiding the need to show a violation of privacy in the case of any individual member of the class. This is a flawed endeavour.”

The decision will no doubt be welcomed by Google, whilst privacy campaigners and their litigation funders will look for alternative ways to structure their claims in future.

The DPA 1998 was replaced in 2018 by UK GDPR and the DPA 2018, although many of the underlying principles remain the same.  Whilst post-Brexit decisions of the Court of Justice of the European Union (CJEU) are not binding on UK courts, an Austrian court has recently asked the CJEU to rule on similar questions under EU GDPR, a judgment which will be of interest in the UK when it is delivered.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.