Google has won an appeal against a class action-style privacy litigation at the UK Supreme Court — avoiding what could have been up to £3BN in damages had it lost the case.
The long-running litigation was brought by veteran consumer rights campaigner, Richard Lloyd, who, since 2017, has been pursing a collective lawsuit, alleging Google applied a Safari workaround to override iPhone users’ privacy settings in Apple’s Safari browser between 2011 and 2012 — and seeking compensation for the breach for the estimated 4 million+ UK iPhone users affected.
Lloyd’s litigation had sought damages for privacy harms. More broadly, the suit sought to establish that a representative action could be brought in the UK seeking compensation for data protection violations — despite the lack of generic class action regime in UK law.
However today’s unanimous Supreme Court judgment essentially reverts to the High Court’s view: Blocking the representative action.
The Supreme Court justices took the view that damage/loss must be suffered to claim compensation and that the need to prove damage/loss on an individual basis cannot be skipped — meaning compensation cannot simply be applied uniformly for “loss of control” of personal data for each member of the claimed representative class, as the Lloyd litigators had sought.
“Without proof of these matters, a claim for damages cannot succeed,” the Supreme Court writes, summarizing its judgement.
The ruling is major blow to UK campaigners’ hopes of being able to bring class action-style suits against the tracking industry.
Had Google lost the judgement it would have opened the gate to more representative actions being brought for privacy violations. But with the adtech giant winning the appeal it is likely to put a major chill on UK class action-style suits targeting data-mining tech giants — which had, in recent years, been attracting commercial litigation funders.
Responding to the judgement today, one law firm, BLM, wrote that the outcome of the case “will be cause for celebration for Google and any organisation that handles significant amounts of data or bases its business model on the use of personal data (as well as their shareholders and/or insurers)”.
Another law firm, Linklaters LLP, described the judgement as “a big blow to claimant law firms and funders who had hoped to create a new opt out regime for damages in the data breach sphere”.
“We would expect a lot of similar claims issued in its wake now to fall away,” added Linklaters’ Harriet Ellis, dispute resolution partner in a statement. “Claimant firms will be studying the decision carefully to see if there any viable opt-out class actions that can still be brought. But it looks really tough.”
We’ve reached out to Mishcon de Reya, the law firm representing Lloyd, for comment.
In its own response to the Supreme Court judgement, Google avoided any discussion of the case detail — writing only:
“This claim was related to events that took place a decade ago and that we addressed at the time. People want to know that they are safe and secure online, which is why for years we’ve focused on building products and infrastructure that respect and protect people’s privacy.”
But a spokesperson for the tech giant also pointed to a statement put out by the techUK trade association — which had intervened in the case in support of Google; and which writes today that “had the appeal been rejected, this would have opened the door for speculative and vexatious claims to be made against data controllers, with far-reaching consequences for both public and private organisations”.
The UK trade association goes on to claim that it “does not oppose representative legal action, however, we believe it is right that any action must first seek to establish whether damage has been caused to the individual as a result of a data breach before seeking compensation”.
However, as the Supreme Court justices note — in discussion of the costs of ‘opt in’ (rather than ‘opt out’) litigation regimes — the bar to accessing justice can simply be pushed out of reach in cases where individual claims are only worth a few hundred pounds apiece (in the Lloyd litigation the suggestion was a sum of £750 per person) because the associated case administration costs of processing individual claimants “may easily exceed the potential value of the claim”.
So — to be clear — techUK is opposing representative legal actions being brought over almost any data violation.
The UK’s data protection watchdog, meanwhile, has shown a complete lack of willingness to enforce the law against the data-mining adtech industry — despite the ICO warning, since 2019, of rampantly unlawful tracking.
The UK government is also now consulting on weakening the domestic data protection regime.
So the question of how exactly the average UK citizen can obtain the privacy rights UK law claims wraps their information on paper looks, well, pretty murky right now…
Rights groups have responded to the Supreme Court judgement by calling for the government to legislate for collective redress.
In a statement the Open Rights Group‘s executive director, Jim Killock, said: “There must be a way for people to seek redress against massive data breaches, without having to risk their homes, and without relying on the Information Commissioner alone.
“The ICO cannot act in every case, and is sometimes unwilling to do so. We have waited over two years for action against the Adtech industry, which the ICO says is operating unlawfully. There is no sign of action.
“Yet it would be completely unreasonable for someone to risk their home over court fees in cases like this. Without a collective mechanism, that is where we are left: in many cases data protection is very hard to enforce against tech giants.
“The Government should keep its word, and consider implementing collective action under GDPR, which i[t] specifically rejected in February on the grounds that Lloyd vs Google showed that existing rules could provide a path for redress.”