This year has seen further record GDPR fines levied by Data Protection Authorities, however, a second “under the radar” risk exists—namely, being sued for damages.
Today we saw a sea-change case (Lloyd v Google) ruling by the UK Supreme Court that saw the Big Tech company avoid a potential £3 billion “class action” damages claim.
However, the door was left open to future damages and compensation claims for data law missteps.

Today saw an eagerly awaited ruling from the UK Supreme Court in the case of Lloyd v Google. The case concerned the so-called “safari workaround,” which placed cookies on the devices of millions of iPhone users between 2011 and 2012 allegedly without obtaining the necessary consent of the users. By doing so, Google was able to obtain information about these users and their browsing activities, which it leveraged in order to present targeted adverts on behalf of its advertiser clients, in breach of European data privacy law.

The claim was initiated in 2017 as a “representative action,” a type of action in which the claimant (Mr. Lloyd) could bring a claim on behalf of a class of individuals who share the same interest. In the current case, this class of individuals sharing the same interest was users of Apple’s iPhone browser, Safari, between 2011 and 2012. The action bears resemblance to the opt-out class actions that are more common in the United States but have rarely been seen in the UK due to the courts’ narrow interpretation of the relevant Civil Procedure Rules.

Before the claim itself could be heard, Mr. Lloyd needed permission from the UK courts to serve the proceedings on Google in the United States (i.e., out of the Court’s jurisdiction). This application failed before the High Court, where the judge ruled that no damage had been suffered by the relevant individuals, and that they did not share the same interest as required to bring the representative action. However, the Court of Appeal overturned this decision, finding that: (i) “loss of control of personal data” was a damage in and of itself and could therefore give rise to compensation; and (ii) the parties represented by Mr. Lloyd all shared a common interest. Google appealed this decision to the Supreme Court.

The Supreme Court ruled that Mr. Lloyd’s claim should have followed a two-stage procedural approach and could not succeed for two main reasons. Firstly, correct interpretation of section 13 of the Data Protection Act 1998 required identifying the financial loss or mental distress suffered by the individuals in question (not a uniform amount argued by Mr. Lloyd) and, secondly, to succeed, one has to prove what unlawful processing by Google relating to a given individual occurred.

If Google had lost today, it would have opened the door to a potential multi-billion dollar claim and possible future “opt-out” class actions in the UK. This was, therefore, one of the most significant data privacy cases heard by the UK courts.

That said, and even though Google will be pleased with this ruling (litigation funders less so), the court left the door open to future damages claims. Lord Leggatt made clear that this ruling is not to be a bar to compensation claims and that in this case a representative claim could have been brought following a two-tier approach, to establish if Google had breached privacy laws first and then used as a basis for pursuing individual claims for compensation.

Rather than close off potential compensation claims, therefore, while opt-out UK class actions have been nixed, the Supreme Court has left open that Pandora’s Box of litigation.

This case was also interesting given the input of the data regulator in the UK (the ICO). The ICO was supportive of Mr. Lloyd’s case that compensation should be awarded for “loss of control” of personal data.

This ruling also came in the context of the past year, which has further seen new compliance initiatives from regulators and a significant increase in enforcement (e.g. there have been further multi-million dollar fines levied).

Since the GDPR came into force, businesses have been coming to terms with the need to update their data privacy practices, policies and business models. This possibility of damages claims combined with more aggressive regulator action and huge fines now adds a “double jeopardy” to the mix.

To reduce risk, it would therefore be timely for businesses to undertake a fresh review of data practices and policies and make updates to reflect these recent developments.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.