Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
On 28 and 29 April 2021 the Supreme Court heard the much-anticipated appeal by Google against the 2019 Court of Appeal decision, which granted Mr Lloyd permission to serve a representative action on Google in the US on behalf approximately 4.4 million iPhone users. Whilst we still await the outcome, the Supreme Court’s decision could potentially open the floodgates in terms of data privacy litigation going forward.
The facts
The action brought by Mr Lloyd relates to Google’s so-called “Safari Workaround” method used during 2011 and 2012, whereby Google allegedly set its DoubleAd Click cookie to track and collect information about iPhone users’ internet activity (known as “browser generated information”) without their knowledge or consent, in breach of the Data Protection Act 1998. It is alleged that Google aggregated the browser generated information in order to classify users into groups such as “current affairs enthusiasts” or “football lovers” and then sold their data to advertisers who wanted to target specific groups of people.
The notable point is that Mr Lloyd is not alleging that he (nor any of the claimants that he is seeking to represent) have suffered financial loss or distress; merely that they should be compensated for the loss of control of their personal data.
The claim is brought under Civil Procedure Rule (“CPR”) 19.6 which allows an individual to act as a representative on behalf of a defined class of claimants, provided that all claimants have the “same interest”.
Court of Appeal decision
In granting permission to Mr Lloyd to serve his claim on Google, the Court of Appeal made two key findings:
- that damages are capable of being awarded for loss of control of personal data without the claimant having to prove financial loss or distress; and
- that, on that basis of the above finding, a claim could be brought under CPR 19.6 because each of the individuals that Mr Lloyd is seeking to represent are identifiable and have the “same interest”.
The Court of Appeal stated “it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same”. The Court of Appeal found that it could exercise its discretion to allow the claim to proceed under CPR 19.6.
Impacts of the Supreme Court decision
Should the Supreme Court take the same view as the Court of Appeal, this will represent a seismic shift in the data privacy litigation landscape, impacting on both the ease with which representative actions can be brought (signifying a move to US style “opt out” actions), and lowering the bar in terms of the type of damage that can be claimed (i.e. loss of control of personal data without having to show financial loss or distress). This combined with:
- individuals becoming increasingly aware of their rights in relation to their personal data, aided in part by claimant law firms advertising for claimants in respect of mass data breaches (e.g. British Airways and Easyjet); and
- an increase in litigation funds backing data privacy class actions,
is bound to open the floodgates to a wide range of claims for breaches of data protection legislation.
Whilst this is a case heard under the Data Protection Act 1998, the principles apply to compensation claims made under the EU and UK GDPRs. Indeed, it may serve to clarify the position in Recital 85 which suggests that loss of control of personal data is a type of damage in relation to personal data breaches.
What should you do now?
Here are some practical steps you can take now to protect your organisation against the types of claims described above.
- Review your cookie practices; in particular your cookie consent mechanism and the information you provide about your cookies (and other similar technologies). It is easy for individual claimants to go on to your website and immediately identify if you are complying with relevant laws and guidance from regulators. We are already seeing letters before action being sent from individual claimants, who have spotted that organisations are not complying with the relevant obligations, seeking a settlement sum or threatening legal claims.
- Review your other external facing privacy documentation, such as privacy policies, to ensure that they are up to date. In particular, there may be changes that are required following Brexit.
- Review your electronic marketing practices to ensure compliance with relevant legislation. In particular, ensure that individuals are provide with an opportunity to opt out of direct marketing. Where an individual does opt out of electronic marketing, ensure that you have robust processes in place to ensure those individuals do not continue to be sent direct marketing communications.
- Review your information security practices and procedures and ensure that you have robust procedures in place to immediately detect and mitigate the impacts of personal data breaches. This includes training all staff to be able to identify a personal data breach and take appropriate steps.
Related expertise
You may be interested in...
Online Event
Shared Insights: Data and Information Governance Issues
Legal Update
Subsidy control lessons to be learnt from Bulb
Legal Update
Vicarious liability – don’t overlook the importance of close connection
Legal Update
Update on data protection claims - Austrian Post Case
Opinion
Practical points from High Court ruling that Tesco has infringed Lidl’s IP rights in its famous yellow circle logo
Opinion
Mediation – remote or in person?
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Confirmation of ACAS early conciliation in the context of multiple claim forms
Published Article
ClientEarth claim may expand scope of directors' duties
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Opinion
The Solicitors Regulation Authority has approval to take over from the Solicitors Indemnity Fund
Legal Update
Embargoed Judgments: A Professional Word of Caution
Press Release
Browne Jacobson’s intellectual property lawyers ranked experts in World Trademark Review guide 2023
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Opinion
Term-time school worker entitled to national minimum wage for unworked basic hours
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update - Public matters newsletter
Public matters - January 2023
Opinion
Litigation in 2023 – Reforms on the horizon
Legal Update
Protecting children and their data in the online environment
Legal Update
Settlement agreements – what are the limitations?
Settlement agreements are commonplace in an employment context and are ordinarily used to provide the parties to the agreement with certainty following the conclusion of an employment relationship.
Legal Update
Five “takeaways” in claims against mortgage brokers following Taylor v Legal & General Partnership Services Ltd [2022] EWHC 2475 (Ch)
Claims arising from interest-only mortgages have been farmed in volume. Many such claims to date have sought to drive a narrative that interest-only mortgages are an inherently toxic product and brokers were negligent simply for suggesting them. Taylor is a helpful recalibration, focussing instead on what the monies raised by the mortgage product were being used for and whether the client understood the inherent risks.
Opinion
The Future of Mediation
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Legal Update
Trigger happy when directors’ duties are the target?
In a judgment handed down yesterday the Supreme Court has affirmed that a so called “creditor duty” exists for directors such that in some circumstances company directors are required to act in accordance with, or to consider the interests of creditors. Those circumstances potentially arise when a company is insolvent or where there is a “probability” of an insolvency. We explore below the “trigger” for such a test to apply and its implications.
Legal Update
The Retained EU Law
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
Legal Update
Failure to comply with PD57AC — it can be costly!
Practice Direction 57AC (“PD57AC”) relates to witness evidence in trials and explicitly applies only to the Business and Property Courts. It applies to existing proceedings in which the witness statements for trial are signed on or after 6 April 2021.
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Opinion
Sequana: Supreme clarification on the duty owed to creditors
The Supreme Court has unanimously dismissed the BTI v Sequana appeal and reviewed the existence, content and engagement of the so-called ‘creditor duty’; being the point at which the interest of creditors is said to intrude upon the decision-making of directors of companies in financial distress.
Legal Update
Common AI related technology project disputes and how to prevent them
The increased use of artificial intelligence (AI) is revolutionising the way businesses operate and is having a disruptive impact in sectors that have traditionally been slow to modernise.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
The Civil Justice Council’s (CJC) proposed reforms to the Pre-Action Protocols (PAPs) and the possible mandatory ADR gateway. What could this mean for your case?
In November 2021, The Civil Justice Council’s published its interim report on proposed changes to the current Pre-Action Protocols, which included a mandatory Alternative Dispute Resolution (ADR) gateway. In this article, we look at proposed reforms and consider what this could mean for your case.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Opinion
Job applicant receives settlement due to unlawful age discrimination at interview
Janice Walsh applied for a job with Domino’s Pizza, hoping to secure a role as a Delivery Driver. However things quickly took a turn for the worse during her initial interview, with the very first question that she was asked relating to her age. Ms Walsh was ultimately informed that she had not been successful in her application.
Opinion
Covid Rent Arrears: Cinema operators’ appeals dismissed
The Court of Appeal has dismissed two cases regarding rent arrears accrued during the Covid lockdowns. The cases are London Trocadero (2015) LLP v Picturehouse Cinemas Ltd and Bank of New York Mellon (International) Ltd v Cine-UK Ltd.
Opinion
Proceed with caution – covenants in franchise agreements
In the recent case of Dwyer (UK Franchising) Limited v Fredbar Limited and ano’r [2022] EWCA Civ 889, the Court of Appeal considered the reasonableness of restrictive covenants in a franchise agreement.