The judge said that the claimant had failed to prove damage had been caused to individuals by the data collection. But he did not rule out the possibility of future mass-action lawsuits if damages could be calculated.
The case will have implications for similar mass action lawsuits.
In his judgement, Lord Leggatt said a key issue was that “the claim has been framed in order to try to bring it as a representative action” for many people.
“The claimant seeks damages… for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damager or distress as a result of a breach,” it read.
“Without proof of these matters, a claim for damages cannot succeed.”
Says Rocio Concha, Which? Director of Policy and Advocacy:
“This will be disappointing news for millions of consumers who may now struggle to get redress for potentially having had their personal data exploited by Google.
“People who have suffered from data breaches must be able to hold big companies to account and get the redress they deserve. Which? has repeatedly called for consumers to have an easier route to redress when they suffer from data breaches.
“The government must allow for an opt-out collective redress regime which would mean that affected victims would be automatically included in the action and be represented by a body bringing the claim on behalf of those affected.”
Adds Nick McAleenan, Partner in Media Law at JMW Solicitors:
“On the face of it, this decision is about the intricacies of data breach law, and how very large legal claims can be run in court. However, it is also about balancing the legal rights and interests of ordinary consumers and those of the large organisations which process all of our personal data.
“Parliament has previously declined to introduce legal mechanisms allowing “opt out” data breach class actions, and the Supreme Court’s decision has a similar effect. Group claims remain possible for data breach victims, but one potential avenue for running such a case – “representative” actions – has practically been closed off by this decision.
“It will be interesting to see whether other European countries take a different approach as data breach litigation evolves on the Continent. Also, the decision increases the importance of the Information Commissioner to regulate data law compliance where procedural issues prevent access to justice for data breach victims.”