Google has won an appeal against a class action-style privacy litigation at the UK Supreme Court -- avoiding what could have been up to £3BN in damages had it lost the case.
The long-running litigation was brought by veteran consumer rights campaigner, Richard Lloyd, who, since 2017, has been pursing a collective lawsuit, alleging Google applied a Safari workaround to override iPhone users’ privacy settings in Apple’s Safari browser between 2011 and 2012 -- and seeking compensation for the breach for the estimated 4 million+ UK iPhone users affected.
Lloyd's litigation had sought damages for privacy harms. More broadly, the suit sought to establish that a representative action could be brought in the UK seeking compensation for data protection violations -- despite the lack of generic class action regime in UK law.
However today's unanimous Supreme Court judgment essentially reverts to the High Court's view: Blocking the representative action.
The Supreme Court justices took the view that damage/loss must be suffered to claim compensation and that the need to prove damage/loss on an individual basis cannot be skipped -- meaning compensation cannot simply be applied uniformly for "loss of control" of personal data for each member of the claimed representative class, as the Lloyd litigators had sought.
"Without proof of these matters, a claim for damages cannot succeed," the Supreme Court writes, summarizing its judgement.
The ruling is major blow to UK campaigners' hopes of being able to bring class action-style suits against the tracking industry.
Had Google lost the judgement it would have opened the gate to more representative actions being brought for privacy violations. But with the adtech giant winning the appeal it is likely to put a major chill on UK class action-style suits targeting data-mining tech giants -- which had, in recent years, been attracting commercial litigation funders.
Responding to the judgement today, one law firm, BLM, wrote that the outcome of the case "will be cause for celebration for Google and any organisation that handles significant amounts of data or bases its business model on the use of personal data (as well as their shareholders and/or insurers)".
Another law firm, Linklaters LLP, described the judgement as "a big blow to claimant law firms and funders who had hoped to create a new opt out regime for damages in the data breach sphere".
"We would expect a lot of similar claims issued in its wake now to fall away," added Linklaters' Harriet Ellis, dispute resolution partner in a statement. “Claimant firms will be studying the decision carefully to see if there any viable opt-out class actions that can still be brought. But it looks really tough."
The inescapable message is that reform is needed to extend an “opt out” procedure to consumer and privacy claims to provide real access to justice; and to ensure accountability of large companies to swathes of consumers/users 14/
— Thomas de la Mare (@thebrieftweet) November 10, 2021
We reached out to Mishcon de Reya, which had previously represented Lloyd, for comment. The law firm said that while it previously represented Lloyd in relation to this matter it was not acting in the Supreme Court action.
In a statement, Adam Rose, head of the firm's data practice, added: "Although the defendant prevailed, it would be entirely precipitous to read the ruling as sounding the death knell for compensation claims for data protection breaches."
"Although the Supreme Court found in favour of Google, this was a case primarily about the legal mechanisms to bring such claims under the now-repealed 1998 Data Protection Act, and not about the overarching rights and principles of data protection law. This means that there will undoubtedly still be good arguments, particularly under the new UK GDPR framework, that will permit certain group actions to proceed, and cases where an infringement of data protection law is such that compensation will be appropriate," Rose also said, adding: "The judgment also passes the baton both to Parliament and to the Information Commissioner.
"For Parliament, it may be the case that legislation is required to enable opt-out claims under data protection law to be made more easily. For the Information Commissioner, there is now a pressing need for more robust enforcement action for wilful and mass-scale infringements of the law and to ensure that data subjects are afforded the effective judicial remedy, which is the promise of UK GDPR and the present data protection framework."
In its own response to the Supreme Court judgement, Google avoided any discussion of the case detail -- writing only:
“This claim was related to events that took place a decade ago and that we addressed at the time. People want to know that they are safe and secure online, which is why for years we've focused on building products and infrastructure that respect and protect people's privacy.”
But a spokesperson for the tech giant also pointed to a statement put out by the techUK trade association -- which had intervened in the case in support of Google; and which writes today that "had the appeal been rejected, this would have opened the door for speculative and vexatious claims to be made against data controllers, with far-reaching consequences for both public and private organisations".
The UK trade association goes on to claim that it "does not oppose representative legal action, however, we believe it is right that any action must first seek to establish whether damage has been caused to the individual as a result of a data breach before seeking compensation".
However, as the Supreme Court justices note -- in discussion of the costs of 'opt in' (rather than 'opt out') litigation regimes -- the bar to accessing justice can simply be pushed out of reach in cases where individual claims are only worth a few hundred pounds apiece (in the Lloyd litigation the suggestion was a sum of £750 per person) because the associated case administration costs of processing individual claimants "may easily exceed the potential value of the claim".
So -- to be clear -- techUK is opposing representative legal actions being brought over almost any data violation.
The UK's data protection watchdog, meanwhile, has shown a complete lack of willingness to enforce the law against the data-mining adtech industry -- despite the ICO warning, since 2019, of rampantly unlawful tracking.
While the UK government is also now consulting on weakening the domestic data protection regime.
So the question of how exactly the average UK citizen can obtain the privacy rights UK law claims wraps their information on paper looks, well, pretty murky right now...
So much money on the line today given the other cases relying on Lloyd.
We will see whether the following will proceed:
Rumbul v Salesforce
McCann v Google
A child v TikTok
Jukes v Facebook
Different issues at play in most of these but all suffer a represented class problem.
— Robert Bateman (@RobertJBateman) November 10, 2021
In the US, Google entered into a consent order with the FTC over the Safari cookie tracking issuing a decade ago — agreeing back in 2012 to pay $22.5M to settle the charge that it bypassed Safari’s privacy settings to serve targeted ads to consumers (but without accepting any wrongdoing).
Rights groups have also responded to the Supreme Court judgement by calling for the government to legislate for collective redress.
In a statement the Open Rights Group's executive director, Jim Killock, said: “There must be a way for people to seek redress against massive data breaches, without having to risk their homes, and without relying on the Information Commissioner alone.
“The ICO cannot act in every case, and is sometimes unwilling to do so. We have waited over two years for action against the Adtech industry, which the ICO says is operating unlawfully. There is no sign of action.
“Yet it would be completely unreasonable for someone to risk their home over court fees in cases like this. Without a collective mechanism, that is where we are left: in many cases data protection is very hard to enforce against tech giants.
“The Government should keep its word, and consider implementing collective action under GDPR, which i[t] specifically rejected in February on the grounds that Lloyd vs Google showed that existing rules could provide a path for redress.”