Lloyd vs. Google: Google Battles Landmark UK Class Action

The UK Supreme Court, the final court of appeal in civil cases, is reviewing an appeal by Google of a proposed multi-billion-pound class action on alleged tracking of millions of iPhone users in 2011.

The Court of Appeals granted Richard Lloyd, the named plaintiff, permission to serve a representative claim. Mr. Lloyd is seeking to extend Britain’s class action laws. The claim against Google is being brought on behalf of an estimated 4.4 million iPhone users alleging Google unlawfully gathered and exploited browser generated information on Apple’s Safari browser in breach of section 4(4) of the UK Data Protection Act 1998. Mr. Lloyd alleges that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality, and financial resources through Apple’s Safari web browser even when users had chosen a “do not track” privacy setting and used this information to sell lucrative, targeted advertising services.

Lloyd is seeking between 1.5-3 billion pounds in damages. The case hinges on what damages can be recovered by consumers for data breaches and whether class actions by an individual can be used to claim them. “If the judgment goes in favour of the claimants, we will see the floodgates open to a tsunami of representative data class actions in the UK,” said Julian Copeman, a partner at Herbert Smith Freehills.

Mr. Antony White, a lawyer for Google, argued that any lawsuit seeking redress under English laws must demonstrate that claimants suffered damages from a data breach. “It is not my case that loss of personal data may not have serious consequences, but it may not always do so in a way that attracts compensation,” adding that any uniform award would fail to consider different phone usage, different data, and inherently different damages.

In October 2018, the High Court dismissed the case, but the Court of Appeal overturned the decision in October 2019. Google is arguing the case should be dismissed on the grounds that the claimants have shown insufficient evidence users were adversely affected. Google has also argued that there were potentially millions of Britons affected by the workaround and nobody can tell how many people suffered damage and that there should be a distinction drawn between loss of control and damages.

The Safari workaround Google used was first revealed by a researcher at Stanford in Feb. 2012. The workaround allowed Google to bypass the privacy security settings on Apple’s iPhone Safari browser to track people’s online activity. Google disabled the code in 2012.

The Supreme Court is reviewing two issues:

1. a non-trivial infringement of the UK Data Protection Act which does not cause any material damage or disclosure can nevertheless result in “uniform per capita” damages being awarded for “loss of control” of personal data; and

2. It is not necessary for members of a class to be identified in order to demonstrate the “same interest” when pursuing a representative class action under CPR 19.6(1)

Two days of arguments, April 28th and 29th, were heard but a judgment is not expected for a few weeks. The concern is what the implications will follow. If the Supreme Court allows Mr. Lloyd to bring this claim on behalf of a class, many similar class action cases will follow.

Historically, in the UK class actions could only be brought on an opt-in basis meaning all those involved had to give their consent. For example, the long-running case with British Airways was until last week gathering interested parties resulting from a data breach in 2018. There is a similar case involving TikTok recently launched by the former children’s commissioner on behalf of millions of children in the EU and UK.

A decision in Mr. Lloyd’s favour would pave the way for new “opt-out” representative actions, which would automatically bind a defined group into a lawsuit unless individuals opt out. Critics argue this will lead to claims without merit driven by the potential of lush pay-outs for litigators and their funders. Proponents, on the other hand, argue that class actions will allow easier access to justice, especially when individual claims are too small to be pursued individually and that the alternative “opt in” lawsuits require intense resources and are overly time-consuming limiting access to courts and ultimately, access to justice.

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights:

Searching for Guidance on Data Transfers (Still)

Following “Schrems II,” privacy professionals have been waiting for a conclusive answer to the issue of data flows. The European Commission unveiled its draft implementing decision for the new SCCs last November and negotiations over an updated Privacy Shield have been “intensifying.”

Read more »