Last week, the English High Court limited the availability of collective actions for data breaches to identifiable individuals who have suffered specific and discernible damage. In Richard Lloyd v Google LLC, the Court refused to allow a representative action alleging breach by Google of its duties under the Data Protection Act 1998 (“DP Act 1998”) to proceed. The Court reinforced the need to prove “damage” resulting from data privacy breaches in order to claim compensation and continued its policy of reluctance to permit English court procedures to be used to bring U.S.-style “opt-out” class actions.
The case reinforces the need to prove damage or distress when bringing data breach claims, as well as the hurdles involved in bringing representative actions in the English courts. It will also be relevant to claims for breach of the new Data Protection Act 2018 (“DP Act 2018”) (which has largely replaced the DP Act 1998) and could therefore serve as a deterrent to future claims.
Read our client alert.