In allowing Google to appeal against the Court of Appeal’s findings in Lloyd v Google llc, the Supreme Court holds out the prospect that we’ll conclusively know whether a personal data breach is a loss in itself – or whether a pecuniary loss or some specific distress is required.

In 2019, the Court of Appeal did something special to personal data. It gave it a value in and of itself – such that a loss of control over personal data became an actionable loss in itself. No actual pecuniary loss or distress was necessary. Now the case in question is going to the Supreme Court, and the understandable controversy triggered by the Court of Appeal’s decision may (once the case is heard, late this year or more probably next) finally be resolved one way or the other.

The Court of Appeal’s decision came in Lloyd v Google llc [2019] EWCA Civ 1599, a case involving one of the highest-profile tech firms in the world, and one of the foremost examples of either (depending on your perspective) finding an inventive solution to another firm’s (in this case Apple’s) unreasonable intransigence, or shamelessly evading that firm’s customers’ privacy protections for one’s own gain. The issue was Google’s use of what was generally termed the “Safari workaround”, a means of tracking users of websites on which a Google subsidiary had placed ads even if a user’s Apple device was set up to stop this from happening.

Richard Lloyd, a privacy activist, was trying to initiate a class action on an opt-out basis, which could in principle encompass millions of users of Apple’s Safari web browser. This was in itself highly controversial, although I don’t propose to address that side of things. Of more direct interest from a privacy perspective was the claim made on Mr Lloyd’s behalf that the Safari Workaround was actionable in itself: that users didn’t have to prove they’d lost out emotionally or financially, but that the loss of control over their personal data which the Workaround caused was per se a loss sufficient to allow them to sue under the Data Protection Act (the 1998 version, which had been in force at the time).

The High Court had no truck with this argument, Warby J concluding that without some actual loss or distress, section 13(1) of the 1998 Act wasn’t engaged. The Court of Appeal disagreed, with Vos LJ finding (at [44-47]) that a person’s control over their personal data had an intrinsic value such that loss of that control must also have a value if privacy rights (including those arising from article 8 of the European Convention on Human Rights) were to be properly protected.

(The Court of Appeal also reversed Warby J’s findings on the other key point: that the potential claimants all had the same “interest” in the matter, such that a representative action under CPR r.19.6 could proceed. As such, it ruled that it could exercise its discretion to allow Mr Lloyd to serve proceedings on Google even though it was out of the jurisdiction.)

To no-one’s surprise, Google sought permission to appeal the matter to the Supreme Court. The Court has now given permission for the appeal to proceed – not just on the core question of whether loss of control over personal data is actionable in itself, but on the other points on which the Court of Appeal disagreed with Warby J.

The question of where the cut-off point lies in privacy breaches involving loss of control over personal data has been a live one ever since an earlier case involving Google, Vidal-Hall v Google Inc [2015] EWCA 311, which (as Vos LJ put it in Lloyd) had analogous facts but one critical difference: it had been pleaded on the basis of distress caused by a personal data breach, rather than the idea that such a breach was intrinsically harmful and thus actionable in itself. The Court of Appeal in Lloyd went beyond Vidal-Hall in expanding the scope of actionable harm. Now, at last, we may conclusively get to identify the outer borders of that scope. Watch this space.

(Incidentally – I’m rather late to this party. The Supreme Court granted permission in March. I’d intended to write about it a little earlier, but the Bug got in the way. My apologies.)