On 10 November 2021, the Supreme Court handed down its judgment in the matter of Lloyd v Google, finding in favour of Google and bringing to an end the claim estimated to have the potential to see damages of £3bn awarded.

Whilst presented under the Data Protection Act 1998 rather than the General Data Protection Regulation 2016 or the Data Protection Act 2018, the judgment will have an impact on claims presented for more recent data breach incidents.

The Data Protection Act 2018 and General Data Protection Regulation 2016 allow damages to be awarded for material and non-material damage, including distress. The compensatory principle, on which damages in civil actions are awarded, intends to put the Claimants in the position in which they would have been had the wrong or breach not occurred. As this requires an individual assessment of the impact of a data breach on each individual Claimant, rather than a common calculation, a representative action is not suitable for claims for damages arising from a data breach.

Over the last few years, a number of Claimant firms of solicitors have moved into the area of data breach claims, the claims falling outside the scope of the fixed costs of the RTA, Employers’ Liability and Public Liability claims; Twitter and other social media platforms are often used to market for claims arising from cyber-attacks.

Had the Supreme Court found for Mr Lloyd, representative actions following cyber-attacks in which the data of many thousands of individuals has been exfiltrated should have been expected to be pursued.

In closing the door to representative actions, whilst we expect to continue to deal with a rising tide of positively pursued data breach claims from our local authority clients, this at least closes the door to the risk of major class actions and may discourage Claimants’ representatives from pursuing claims where the distress alleged is minimal.