iStock

Lloyd v Google Supreme Court verdict brings end to privacy class actions against big tech in UK

A ruling by the Supreme Court has left it financially unviable for individuals to bring class actions in the UK against big tech companies for privacy breaches

The Supreme Court has blocked a £3bn lawsuit against Google claiming damages on behalf of iPhone users who were allegedly unlawfully tracked by the search company.

A judge ruled yesterday that a proposed class action brought on behalf of 5.4 million iPhone users in England and Wales had failed to prove that individuals suffered damage from Google’s use of their data.

The court left open the possibility that the people affected could bring individual legal claims against Google for breaching their privacy rights.

But in practice, lawyers said that following the judgment, it was unlikely to be financially viable to fund future group claims, known as representative actions, for privacy breaches.

Representative actions for alleged data protection breaches, including claims against TikTok, Facebook and Marriott Hotels, are now unlikely to go ahead, David Barker, partner at law firm Pinsent Masons, wrote in a blog post.

The claim was brought by Richard Lloyd, a consumer rights campaigner and former executive director of the consumer organisation Which?, and funded by Therium Litigation Funding IC, a commercial litigation funder.

The Supreme Court overturned a verdict by the Court of Appeal in February 2012 that had given Lloyd permission to serve legal proceedings on Google, a decision that lawyers claimed had left tech companies open to significant liabilities.

Speaking after the hearing, Lloyd said his supporters were “bitterly disappointed” that the Supreme Court had failed to protect the public from big tech companies that break the law.

“Although the court once again recognised that our action is the only practical way that millions of British people can get access to fair redress, they’ve slammed the door shut on this case by ruling that everyone affected must go to court individually,” he said.

Lloyd argued that Google had secretly tracked the internet activity of millions of iPhone users and had unlawfully used their data to target them with advertisements, between 9 August 2011 and 15 February 2012.

The tech company agreed to pay multimillion-dollar settlements to the US Federal Trade Commission in 2012 and to 37 US state attorneys general in 2013 to settle the allegations in the US.

Google allegedly used a technical workaround to plant a Doubleclick Ad cookie on the iPhone’s Safari browser which unlawfully collected personal information about people’s activities.

Google is alleged to have harvested information about the date and time iPhone owners visited websites, which pages they looked at and for how long, and their IP addresses, in breach of the 1988 Data Protection Act.

Lloyd argued that Google was able to use the data to deduce information about users’ interests, habits, race or ethnicity, political and religious views, sexuality and health, plus information about their finances and other sensitive topics.

The court found in a 60-page judgment that Lloyd had failed to prove that Google had made unlawful use of personal data belonging to individuals represented by the action, or that individuals had suffered damage as a result of Google’s use of their data.

His attempt to recover compensation under the Data Protection Act 1998 was “therefore doomed to fail”, it said.

Supreme Court judge Lord George Leggatt found that the legal challenge was flawed because it sought the same compensation for every Safari user.

Some claimants would have been heavy internet users, who would have supplied Google with “considerable amounts” of information, while others would have carried out very little internet browsing, he wrote.

The sensitivity of the data collected on each user, which could include information such as their sexuality or ethnicity, would also vary. And individuals would have different attitudes towards Google’s acquisition, disclosure and use of the data, the judge wrote.

Claims need evidence of damage

The court found that it would have been open to Lloyd to claim damages for distress caused by Google’s actions or for damages for the misuse of private information under the Data Protection Act 1988.

That would have required Lloyd to provide evidence of the information collected by Google from individual claimants, for example by producing a confidential schedule of their internet use, as has happened in other cases, and to produce evidence of the distress it caused.

Instead, Lloyd sought to break new ground by arguing that claimants should be able to recover damages without having to prove that any interference in their privacy rights resulted in material damage or distress.

Lloyd also argued that users should be compensated on the basis that they were subject to “loss of control” of their personal data as a result of the alleged actions by Google.

But the judge found that section 13 of the Data Protection Act 1988 “cannot be reasonably interpreted as giving an individual a right to compensation without proof of material damage or distress”.

European Convention on Human Rights

A decision by the European Court of Human Rights to award compensation of £10,000 to a senior police officer after her employer intercepted her phone calls in violation of Article 8 of the European Convention on Human Rights was not relevant in this case, the Supreme Court found.

Even if the court had awarded compensation because the police officer’s right to privacy had been invaded rather than because of any distress caused by the breach, that did not mean that under UK law, the European Convention on Human Rights required the court to award damages simply for the loss of privacy.

“Stripped to its essentials, what the claimant is seeking to do is claim for each member of the represented class a form of damages – the rationale for which depends on there being a violation of privacy – while avoiding the need to show a violation of privacy in case of any individual member of the class,” the judgment said. “This is a flawed endeavour.”

The court found that it would be anomalous if failure to take care to protect personal data gave claimants the right to compensation without proof that the claimant suffered damage, when failure to prevent personal injury or damage to property does require proof of harm.

The Supreme Court accepted that Google was allegedly able to make a lot of money by tracking the browsing history of iPhone users without their consent and selling the information collected to advertisers.

“Where the defendant’s very purpose in wrongfully obtaining and using private information is to exploit its commercial value, the law should not be prissy about awarding compensation,” the judgment found.

But the judge found this point did not arise in practice. Compensation can only be awarded under the Data Protection Act 1988 for material damage or distress, not for the infringement itself.

Even if this was not the case, the court found that it would still be necessary to consider how Google had made use of an individual’s private data to determine what damages the individual was entitled to.

Lloyd argued that it was possible to identify an “irreducible minimum harm” suffered by every member represented by the class action and to award a “uniform sum” to each person.

But the judge found that “the fundamental problem” was that without taking individual circumstances into account, the alleged facts were insufficient to establish that any member represented by the class action was entitled to damages.

“Without some proof of unlawful processing of an individual’s personal data…a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages,” the judge found.

Even if “user damages” could be recovered, the inability to prove what wrongful use was made by Google of the personal data of any individual means that the damages awarded would be nil, he said.

Google agreed to pay a $22.5m settlement in August 2012 to the US Federal Trade Commission to settle charges that it had made misrepresentations to iPhone users.

The company was alleged to have made representations that it would not place tracking cookies on users of Safari or serve them with targeted advertising.

It agreed to pay $17m to settle actions brought by US state attorneys general from 37 US states and the District of Columbia on behalf of consumers affected by the alleged privacy breach.

In June 2013, Google reached a settlement with three people who sought compensation from it for breaches of the Data Protection Act in the UK.

The Information Commissioner’s Office found in a 2019 report that adtech companies were breaching the General Data Protection Regulation (GDPR) rights of UK citizens, but has yet to take enforcement action.

Dark day for privacy

Speaking after the ruling, Lloyd said the judgment meant there is little incentive for companies like Google to protect consumers.

“The government must now step in to make the system clearer and stronger by bringing in the right for groups of consumers to take action together under the Data Protection Act,” he said. “The responsibility to protect our privacy, data rights and collective action is squarely back with the government.”

Lloyd’s solicitor, James Oldnall, managing partner at Milberg London, said the decision meant that big tech companies could misuse people’s data with impunity.

“The ruling gives Google and the rest of Big Tech the green light to continue misusing our data without consent, knowing they will go unpunished,” he said. “It is a dark day when corporate greed is valued over our right to privacy.”

Jim Killock, executive director of the Open Rights group, which intervened in the case, said that without the ability to bring class actions, individuals would not be able to afford to take enforcement action against big tech companies.

“There must be a way for people to seek redress against massive data breaches without having to risk their homes and without relying on the information commissioner alone,” he said.

Killock called for the government to reconsider allowing class actions under the GDPR, after rejecting it in February on the grounds that Lloyd’s case against Google showed that existing rules could provide a path to redress.

Tech companies faced detrimental impact

Matthew Fell, chief policy director at employers’ organisation the CBI, said allowing the class action to go ahead would have had damaging consequences for technology companies.

“Introducing a US-style class action could have put a chill on investment and would have had a detrimental impact on firms across the economy without improving access to justice for the majority of consumers,” he said.

Law firm RPC represented TechUK, an intervening party in the Supreme Court hearing. David Cran, partner and head of IP and technology at the firm, said that until this ruling, tech companies had been left exposed to significant potential liabilities.

“The Supreme Court’s judgment has firmly rejected the basis of this class action and many others that were waiting in the wings,” he said. “It is likely to have a very significant impact on UK industry.”

Door to class actions closed in UK

Rupert Cowper-Coles, data disputes partner at RPC, said that although the Supreme Court has in principle left the door open for class actions – known as representative actions – to be brought for data protection breaches, in most cases it would not be financially viable to do so.

“The rejection of the concept of ‘loss of control’ damages and the requirement that individuals must prove they have suffered damage means that a representative action is unlikely to be a financially viable option for legal advisers and funders in most cases,” he said.

Read more on Privacy and data protection

CIO
Security
Networking
Data Center
Data Management
Close