Category: Insurance case law · Reviewed by Tim Roche, Director · PI & Commercial · Last reviewed June 2026
The Supreme Court held that a uniform per-capita sum cannot be awarded for “loss of control” of personal data under the Data Protection Act 1998 without proof of material damage or distress, effectively halting US-style opt-out representative actions for low-value data breach claims.
Mr Richard Lloyd, a former director of the consumer group Which?, brought a representative action under CPR 19.6 against Google LLC on behalf of an estimated four million iPhone users resident in England and Wales. The claim concerned what became known as the “Safari Workaround”: between approximately August 2011 and February 2012, Google was alleged to have placed advertising cookies on Apple iPhones using the Safari browser by exploiting a configuration that allowed cookies to be set despite the browser’s default block on third-party cookies. The data collected — referred to as “Browser Generated Information” — was said to have been aggregated and used to deliver targeted advertising through Google’s DoubleClick Ad network without users’ knowledge or consent.
Mr Lloyd issued proceedings in 2017 seeking damages under section 13 of the Data Protection Act 1998. The action was framed as a representative claim because, to use the CPR 19.6 procedure, every member of the represented class must have “the same interest” in the claim. To engineer that uniformity, Mr Lloyd advanced the claim on a “lowest common denominator” basis: he sought a uniform tariff award for each class member for the “loss of control” of their personal data, without seeking to prove the specific circumstances, distress, or financial loss of any individual class member. No individual user’s browsing data was placed before the court.
Because Google was domiciled in the United States, Mr Lloyd required the court’s permission to serve the claim form out of the jurisdiction. Warby J refused permission at first instance, holding the claim disclosed no basis for compensation and was not suitable as a representative action. The Court of Appeal reversed that decision and granted permission. Google appealed to the Supreme Court. The litigation was supported by a third-party litigation funder and would, if successful, have established a procedural template for mass data protection claims in England and Wales.
Two principal issues arose. The first was whether damages were recoverable under section 13 of the Data Protection Act 1998 for the bare “loss of control” of personal data, in the absence of any proof of pecuniary loss or distress on the part of an individual claimant. Mr Lloyd contended that the unauthorised processing of personal data was itself a compensable harm by analogy with the tort of misuse of private information, where the court had previously been willing to award “user damages” reflecting the value of the wrongful use of confidential information.
The second issue was whether, even if such damages were recoverable, the representative action procedure in CPR 19.6 was capable of being used to claim a uniform sum on behalf of every member of a class numbering in the millions, where the only common feature was membership of a defined group of Safari users and where the precise circumstances and impact of the alleged processing would necessarily vary from individual to individual. The “same interest” requirement, the assessment of damages under section 13, and the wider policy question of whether English procedure should accommodate opt-out class actions for data breach were all engaged.
The Supreme Court allowed Google’s appeal unanimously. Lord Leggatt gave the leading judgment, with whom Lord Reed, Lord Sales, Lord Hamblen and Lord Burrows agreed.
On the substantive issue, the court held that section 13 of the Data Protection Act 1998 required proof of “damage” — meaning material damage such as financial loss or psychiatric or psychological injury — or distress caused by the contravention. The bare fact that personal data had been processed in contravention of the Act did not itself amount to damage entitling the data subject to compensation. The court rejected the attempt to import a “user damages” or “loss of control” measure from the law of misuse of private information into the statutory regime, holding that the two causes of action operated on different bases. Compensation under section 13 required individualised proof of the impact of the contravention on the particular data subject.
On the procedural issue, the court held that the representative action could not succeed on the “lowest common denominator” basis advanced. Because damages required individual assessment of the extent and gravity of the contravention for each class member, the members of the represented class did not have the “same interest” in the claim within the meaning of CPR 19.6. The court acknowledged that a bifurcated approach — using a representative action to establish liability followed by individual assessments of damages — remained theoretically available, but that was not how the claim had been pleaded or pursued.
Permission to serve out of the jurisdiction was therefore refused and the claim was dismissed.
The ratio of the decision is twofold. First, section 13 of the Data Protection Act 1998 (and by clear implication the corresponding provisions of the UK GDPR and the Data Protection Act 2018) does not permit recovery of compensation for the mere fact of an unlawful processing of personal data; the claimant must prove material damage or distress that is more than trivial. Second, where damages require an individualised assessment that varies between class members, a CPR 19.6 representative action cannot proceed on a uniform tariff basis because the represented persons do not share the “same interest” in the claim. The decision left open the possibility of a bifurcated representative action confined to common issues of liability, with damages assessed individually, but rejected the procedural mechanism on which the action before the court depended.
Lloyd v Google materially reshapes the underwriting and broker advice landscape for cyber and data liability cover in the United Kingdom. Prior to the decision, cyber insurers and brokers were modelling exposure on the assumption that mass opt-out representative actions could give rise to per-capita liabilities running into hundreds of millions of pounds for a single breach event. The Supreme Court’s decision has not eliminated that exposure — large data breaches remain capable of generating significant aggregated claims — but it has materially restricted the route by which such liability can be efficiently litigated against an insured organisation.
For cyber insurance underwriting the decision matters in three ways. First, it strengthens defendants’ arguments that low-value individual data subject claims are economically unviable to prosecute and may be struck out as an abuse of process (see Stadler v Currys Group Ltd). Second, it has reduced the immediate attractiveness of UK data breach litigation to third-party litigation funders, who depend on the prospect of aggregated awards. Third, it sharpens the importance of distinguishing between regulatory exposure (Information Commissioner monetary penalty notices, where the cap remains substantial) and civil claimant exposure.
Brokers placing cyber liability cover should review insuring clauses and definitions of “Damages” to ensure the policy responds both to civil claimant liability and to the costs of defending representative or group litigation, even where ultimately unsuccessful. Notification and breach response sublimits, regulatory defence costs cover, and PR/reputation cover remain critical because, irrespective of damages outcomes, the operational and reputational impact of a breach is borne by the insured. Brokers should also note that the decision interpreted the 1998 Act, but the same statutory text on compensation appears in the UK GDPR and Data Protection Act 2018, and the reasoning has been applied to claims under the post-2018 regime in subsequent cases.
By Matt Bartlett, Director, on 2026-06-06. Next review: 2026-12-06.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-06. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
SEO meta: - Title: Lloyd v Google LLC [2021] UKSC 50 | UK Insurance Wiki | Apex Insurance Brokers - Slug: /wiki/cases/lloyd-v-google/ - Schema: Article + LegalCase + BreadcrumbList
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote