Google has won an appeal on a class action lawsuit-style privacy lawsuit in the UK Supreme Court – avoiding up to £ 3 billion in damages if the case were lost.
The cross-country skier Litigation was brought forward by veteran consumer rights activist Richard Lloyd, who has been conducting a class action lawsuit since 2017 alleging that between 2011 and 2012, Google used a Safari workaround to override iPhone users’ privacy settings in Apple’s Safari browser – and data breach compensation for the estimated more than 4 million affected UK iPhone users.
Lloyd’s litigation had sought damages for invasion of privacy. In a broader sense, the lawsuit sought to determine that a representative action for damages for a data breach could be brought in the UK – despite the lack of a general class action mechanism in UK law.
Back in 2018 the High Court blocked the lawsuit from proceeding – but the next year The appeals court overturned the verdict and opened the court to hear the lawsuit.
Today’s unanimous Supreme Court judgement essentially relies on the view of the High Court: Blocking the representative action.
The Supreme Court justices held that damage / loss must be suffered in order to claim compensation and that evidence of damage / loss on an individual basis cannot be skipped – ie Compensation cannot simply be uniformly asserted for the “loss of control” of the personal data for each member of the alleged group of representatives, as the Lloyd trial lawyers had demanded.
“Without proof of these facts, a claim for damages cannot be successful,” the Supreme Court sums up its judgment.
The ruling is a heavy blow to UK activists’ hopes of class action-style class action lawsuits against the tracking industry.
If Google had lost the ruling, this would have opened the door to further representative actions for data protection violations. But with the adtech giant won the appeal, there will likely be a big shake up British class action suits targeting data mining tech giants – who had in the past few years, which attracts financiers to commercial litigation.
A law firm responded to today’s verdict, NOT YET, wrote that the outcome of the case “will be a cause for joy for Google and any organization that handles significant amounts of data or bases its business model on the use of personal data (as well as their shareholders and / or insurers)”.
Another law firm, Linklaters LLP, described the ruling as “a severe blow to plaintiff law firms and funders who had hoped to create a new opt-out regime for data breach damages.”
“We would expect that many of the similar lawsuits that have now been brought in the wake of this would fall away,” added Harriet Ellis of Linklaters, dispute settlement partner, in a statement. “Plaintiff companies will carefully review the decision to see whether viable opt-out class actions can still be brought. But it looks really tough. “
We asked Mishcon de Reya, the law firm that Lloyd represents, for a comment.
In its own response to the Supreme Court ruling, Google avoided discussing the details of the case – and only wrote:
“That claim related to events that took place a decade ago and which we addressed at the time. People want to know that they are safe and secure online. That is why we have been concentrating for years on building products and infrastructures that respect and protect people’s privacy. “
A spokesman for the tech giant also referred to a statement by the techUK Employer’s liability insurance association – the intervened in the case in support of Google; and who writes today that “if the appeal had been denied, this would have opened the door” Bringing speculative and harassing claims against data controllers, with far-reaching consequences for both public and private organizations ”.
The UK Trade Association goes on to claim that it “does not oppose representative actions, but we believe it is right that any lawsuit must first determine whether the individual has been harmed by a data breach before filing it”. Compensation”.
However, as the Supreme Court justices note – in relation to the cost of “opt-in” (rather than “opt-out”) litigation – the barrier to access to justice can simply be pushed out of reach if individual claims are just worth it are a few hundred pounds apiece (the Lloyd litigation proposed a rate of £ 750 per person) as the associated case management costs of handling individual claimants “can easily exceed the potential value of the lawsuit”.
So – to be clear – techUK rejects representative lawsuits that are initiated over almost any data breach.
The UK’s privacy watchdog, meanwhile, has shown a total lack of willingness to enforce the law against the data mining adtech industry – despite the ICO warning that since 2019, of rampant unlawful persecution.
While The British government is now also discussing a slowdown the national data protection regime.
So the question of how exactly the average UK citizen can get the privacy rights claimed by UK law looks pretty grim right now …
So much money is at stake today, considering the other cases rely on Lloyd.
We’ll see if the following continues:
Rumble versus Salesforce
McCann on Google
One child against TikTok
Jukes versus Facebook
Various problems play a role in most of them, but all suffer from a represented class problem.
– Robert Bateman (@RobertJBateman) November 10, 2021
In the US, Google received an approval order with the FTC via Safari cookie tracking released a decade ago – already agreed in 2012, $ 22.5 million
Human rights groups have responded to the Supreme Court ruling by calling on the government to launch collective redress.
In a statement the Open rights groupJim Killock’s executive director said, “There must be a way for people to seek redress against massive data breaches without putting their homes at risk and without relying on the Information Commissioner alone.
“The ICO cannot and is sometimes unwilling to act in every case. We have waited over two years for action against the adtech industry, which, according to the ICO, is operating illegally. There is no sign of action.
“Still, it would be totally inappropriate for someone to risk their home on court fees in such cases. Without a collective mechanism we stay there: in many cases, data protection is very difficult to enforce against tech giants.
“The government should keep its word and consider implementing collective action under the GDPR, which d[t] expressly rejected in February on the grounds that Lloyd vs. Google had shown that the existing rules could offer a way to redress. “