In November 2021, judgment was given in the case of Lloyd v Google LLC [2021] by the Supreme Court. The case related to a claim against Google for installing cookies on iPhones without the users’ knowledge or consent; those affected theoretically numbered in the millions.
The claim was relatively unique in that, rather than identifying the specific damages of the affected users, it attempted to identify an ‘irreducible minimum level of harm’. By structuring the claim this way, potential damages would be less for each user, but the claims as a whole could be aggregated together, streamlining the process, into a form of class action called a representative proceeding.
The Supreme Court ultimately rejected this formulation, on the basis that users could have been affected in very different ways. If the decision had been otherwise, organisations responsible for data breaches would have been vulnerable to large-scale claims promoted and run by “claims farmer” law firms and funders. The decision means that a claimant will need to expend resources to individually demonstrate their losses resulting from a data breach.
For more information on this article, please contact Christopher Francis.