teissTalk host Geoff White was joined by Alec Christie, Partner at Clyde & Co; Paula García, Privacy and Cyber Security Senior Associate, Hogan Lovells; and Rocio de la Cruz Partner at BPE Solicitors.

Views on news

In November the UK Supreme Court handed down the judgement in the Lloyd versus Google case unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal. The rule of the Supreme Court was that damages for “loss of control” are not available for breach of the Data Protection Act, and that even if they had been, the claim could not be brought as a representative (class) action. The ruling is relevant to any company using cookies and tracking tools that capture personal data. (Google illegally tracked geolocation data by communicating misleading messages to users regarding how to opt out from being tracked.) The Supreme Court’s answer to the question whether individuals are entitled to receive compensation for any data protection related breach without the need of proving the damage caused is “no”.

There are certain losses resulting from data breaches that are easier to prove such as having to shut down your system or set up helplines to deal with customers, as well as fines. However, with proving that the breach caused the victim annoyance or distress, the bar is set very high. The ruling on the Lloyd v Google case is probably more important than we may think, as it failed to set a precedent of paying compensation for “accidental covert surveillance” (Alec’s coinage).

Unlike Europe, in Australia class actions are permitted for damage suffered by data subjects. Moreover, victims of data breaches and misuse can turn to either the data commissioner – where they can be granted an additional compensation of AUD 3-10,000 for economic loss which is hard to prove – or to the regulator for more tangible losses.