The Supreme Court has today handed down judgment in the case of Lloyd v Google. Although the defendant prevailed, it would be entirely precipitous to read the ruling as sounding the death knell for compensation claims for data protection breaches.
This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an "opt-out" basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google's historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis.
Although the Supreme Court found in favour of Google, this was a case primarily about the legal mechanisms to bring such claims under the now-repealed 1998 Data Protection Act, and not about the overarching rights and principles of data protection law. This means that there will undoubtedly still be good arguments, particularly under the new UK GDPR framework, that will permit certain group actions to proceed, and cases where an infringement of data protection law is such that compensation will be appropriate.
The judgment also passes the baton both to Parliament and to the Information Commissioner. For Parliament, it may be the case that legislation is required to enable opt-out claims under data protection law to be made more easily. For the Information Commissioner, there is now a pressing need for more robust enforcement action for wilful and mass-scale infringements of the law and to ensure that data subjects are afforded the effective judicial remedy, which is the promise of UK GDPR and the present data protection framework.