top of page


GDPR: Breach By A Data Controller

This article focuses on the Loss of control over personal data, the possible impact of the Lloyd v Google case on businesses and the way forward for UK businesses as they seek to comply with the General Data Protection Legislation (GDPR) and Data Protection Act 2018 (DPA).

Case Summary

The respondent has issued a claim alleging that the appellant (‘Google’) has breached its duties as a data controller under the DPA to over 4 million Apple iPhone users during a period of some months in 2011- 2012, when Google was able to collect and use their browser generated information. The respondent sued on his own behalf and on behalf of a class of other residents in England and Wales whose personal data was collected in this way. He applied for permission to serve the claim out of the jurisdiction. Google opposed the application on the grounds that (i) the pleaded facts did not disclose any basis for claiming compensation under the DPA and (ii) the court should not in any event permit the claim to continue as a representative action. ​

The issue is whether the respondent should have been refused permission to serve his representative claim against the appellant out of the jurisdiction (i) because members of the class had not suffered ‘damage’ within the meaning of section 13 of the Data Protection Act 1998 (‘DPA’); and/or (ii) the respondent was not entitled to bring a representative claim because other members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or (iii) because the court should exercise its discretion to direct that the respondent should not act as a  representative. ​

The Court of Appeal found in favour of Mr Lloyd in both respects in October 2019*. The Supreme Court ruling on the matter was expected on the 29th April 2021, however, judgement has not yet been released. Lloyd v Google LLC  is a case with potentially wide consequences for the scope of collective  actions and data protection claims in the UK**.​


The Supreme Court decision is highly anticipated for two main reasons:

Firstly, it will determine whether the damages are legally available “loss of control” of personal data and without the need to identify any financial loss or stress. While it is not a possible benefit for some to expect (it is accepted by both parties that minor violations of data protection will remain ineffective), this will still represent a significant increase in the breadth of data protection claims in the UK.

Secondly, it will ensure that Mr. Lloyd can sue Google on behalf of all iPhone users on the grounds that they have the "same interest" in this case. Such representative actions are permitted only in the past when the litigation claims are somewhat similar in law and in terms of the alleged damages, which effectively hinders the growth of US-style “out-out” class actions in England and Wales. Mr Lloyd wants to overcome that limitation by limiting his claims only to the damages of "loss of control" (which he said were the same for everyone involved) and to willful reliance on certain circumstances, or additional losses experienced by certain individuals.

Impact on businesses

The ruling is likely to have an impact on businesses, particularly Recruitment and Consultancy technology service providers. However, the focus should be on encouraging businesses to take drastic measures to reduce the risk of GDPR breaches occurring in the first place and to mitigate against such losses when they occur. Furthermore,  businesses should be encouraged to adopt a transparent approach with the victims of data breaches and offer sensible credit monitoring or other redress upfront, doing so will help in reducing the likelihood of claims action similar to Mr Lloyd's (Lloyd v Google).


While this case may be related to a violation of the Data Protection Act 1998 (because the incidents took place before 2018) an examination of the right to “loss of control” of personal data is still relevant under the GDPR. The risk of receiving additional fines under the GDPR has already brought about compliance with data protection legislation, but the growing threat of private actions that could lead to organisations paying for damages in addition to fines may result in changes in the ways businesses manage data risks and their response to data breaches.







We will help you define your business strategy with embedded compliance solutions to drive success...

bottom of page