![David Lester (senior partner at Blythe Liggins), Darryl Barnes, Jagdeep Sandher (head of dispute resolution at Blythe Liggins)[4]](https://d1d8vslyhr7rdg.cloudfront.net/Pictures/274x183/4/2/8/116428_davidlesterseniorpartneratblytheligginsdarrylbarnesjagdeepsandherheadofdisputeresolutionatblytheliggins4_981603_crop.jpg)
A few months back, I was sitting in the lobby of a smart hotel in… let’s call it a major legal centre outside London. My ears pricked up as I overheard a pair of gentlemen sitting behind me and I couldn’t help tuning in. They turned out to be a senior figure in a law firm and a data security expert discussing a strategy for entering the apparently lucrative business of class actions over data security breaches. It was fascinating.
At the time I was amused that two intelligent people so exercised by the importance of data security had not twigged that the scruffy bloke with the laptop and a pile of newspapers at the next table might be a journalist. (Though, to be fair, I should state that no client-specific details were discussed.)
But I was also discomfited by the idea that private individuals who had suffered no loss from a data breach, and indeed would not have been aware of it until notified under the General Data Protection Regulation, should be entitled to monetary compensation. It seemed to me an indication that the pendulum of public opinion about data protection had swung too far in one direction.
Today's Supreme Court ruling in Lloyd v Google seems to suggest that the law agrees, albeit in the specific circumstances of an out-of-jurisdiction class action. The judgment's stand-out line is the requirement under s13 of the 1998 Data Protection Act for ‘material damage or distress’ before a claim for compensation can be considered.
Whether that finding is in line with public opinion is another matter. Largely thanks to the appalling behaviour of internet giants - and the billions they earn out of 'our' data - attitudes have changed radically since the first, feeble, loophole-ridden measure to protect personal data was enacted in 1984. Under that regime, concerns about even the most sensitive data were treated as a peripheral specialist interest. It was only in 1997 that the NHS adopted any kind of data protection regime beyond that implied in the Hippocratic Oath.
It seems incredible now, but in the late 1980s a scheme to provide thousands of GPs with free practice computers in return for data feeds to the pharmaceutical industry sailed through with apparently no discussion of data protection whatsoever.
Today, controversies about the supply of even anonymised NHS data to private companies suggest that the public increasingly see data derived from our lives as our property and therefore subject to our control, even way down the line. Rocio Concha of Which? summed up this sentiment today when she spoke of consumers' struggle to redress for 'potentially having had their personal data exploited by Google'.
Contrary to some predictions, there is little sign of attitudes about data protection softening with successive generations. Big Four firm EY last year reported a study showing that millennials and generation Z are more likely than generation X and baby boomers to regularly take the time to understand how a company uses their personal data. The new generations expect to have control over their data.
All this, of course, should be feeding in to debate about reform of what the government calls the 'unnecessarily complex' GDPR-based regime. We shall see. In the meantime, I suspect that the data breach-chasing colleagues whose conversation I overheard may have public opinion on their side.
1 Reader's comment