The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
On 28 and 29 April 2021 the Supreme Court heard the much-anticipated appeal by Google against the 2019 Court of Appeal decision, which granted Mr Lloyd permission to serve a representative action on Google in the US on behalf approximately 4.4 million iPhone users. Whilst we still await the outcome, the Supreme Court’s decision could potentially open the floodgates in terms of data privacy litigation going forward.
The action brought by Mr Lloyd relates to Google’s so-called “Safari Workaround” method used during 2011 and 2012, whereby Google allegedly set its DoubleAd Click cookie to track and collect information about iPhone users’ internet activity (known as “browser generated information”) without their knowledge or consent, in breach of the Data Protection Act 1998. It is alleged that Google aggregated the browser generated information in order to classify users into groups such as “current affairs enthusiasts” or “football lovers” and then sold their data to advertisers who wanted to target specific groups of people.
The notable point is that Mr Lloyd is not alleging that he (nor any of the claimants that he is seeking to represent) have suffered financial loss or distress; merely that they should be compensated for the loss of control of their personal data.
The claim is brought under Civil Procedure Rule (“CPR”) 19.6 which allows an individual to act as a representative on behalf of a defined class of claimants, provided that all claimants have the “same interest”.
In granting permission to Mr Lloyd to serve his claim on Google, the Court of Appeal made two key findings:
The Court of Appeal stated “it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same”. The Court of Appeal found that it could exercise its discretion to allow the claim to proceed under CPR 19.6.
Should the Supreme Court take the same view as the Court of Appeal, this will represent a seismic shift in the data privacy litigation landscape, impacting on both the ease with which representative actions can be brought (signifying a move to US style “opt out” actions), and lowering the bar in terms of the type of damage that can be claimed (i.e. loss of control of personal data without having to show financial loss or distress). This combined with:
is bound to open the floodgates to a wide range of claims for breaches of data protection legislation.
Whilst this is a case heard under the Data Protection Act 1998, the principles apply to compensation claims made under the EU and UK GDPRs. Indeed, it may serve to clarify the position in Recital 85 which suggests that loss of control of personal data is a type of damage in relation to personal data breaches.
Here are some practical steps you can take now to protect your organisation against the types of claims described above.
Settlement agreements are commonplace in an employment context and are ordinarily used to provide the parties to the agreement with certainty following the conclusion of an employment relationship.
Claims arising from interest-only mortgages have been farmed in volume. Many such claims to date have sought to drive a narrative that interest-only mortgages are an inherently toxic product and brokers were negligent simply for suggesting them. Taylor is a helpful recalibration, focussing instead on what the monies raised by the mortgage product were being used for and whether the client understood the inherent risks.
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
In a judgment handed down yesterday the Supreme Court has affirmed that a so called “creditor duty” exists for directors such that in some circumstances company directors are required to act in accordance with, or to consider the interests of creditors. Those circumstances potentially arise when a company is insolvent or where there is a “probability” of an insolvency. We explore below the “trigger” for such a test to apply and its implications.
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
Practice Direction 57AC (“PD57AC”) relates to witness evidence in trials and explicitly applies only to the Business and Property Courts. It applies to existing proceedings in which the witness statements for trial are signed on or after 6 April 2021.
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
The Supreme Court has unanimously dismissed the BTI v Sequana appeal and reviewed the existence, content and engagement of the so-called ‘creditor duty’; being the point at which the interest of creditors is said to intrude upon the decision-making of directors of companies in financial distress.
The increased use of artificial intelligence (AI) is revolutionising the way businesses operate and is having a disruptive impact in sectors that have traditionally been slow to modernise.
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
In November 2021, The Civil Justice Council’s published its interim report on proposed changes to the current Pre-Action Protocols, which included a mandatory Alternative Dispute Resolution (ADR) gateway. In this article, we look at proposed reforms and consider what this could mean for your case.
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Janice Walsh applied for a job with Domino’s Pizza, hoping to secure a role as a Delivery Driver. However things quickly took a turn for the worse during her initial interview, with the very first question that she was asked relating to her age. Ms Walsh was ultimately informed that she had not been successful in her application.
The Court of Appeal has dismissed two cases regarding rent arrears accrued during the Covid lockdowns. The cases are London Trocadero (2015) LLP v Picturehouse Cinemas Ltd and Bank of New York Mellon (International) Ltd v Cine-UK Ltd.
In the recent case of Dwyer (UK Franchising) Limited v Fredbar Limited and ano’r [2022] EWCA Civ 889, the Court of Appeal considered the reasonableness of restrictive covenants in a franchise agreement.
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
The Employment Appeal Tribunal (EAT) decision in the case of Warburton v The Chief Constable.
Restrictive covenants are widely recognised as a complex area of employment law that is of key importance to many organisations. However more recently, they have become a hot topic with the Government launching their consultation.
In Nissan v Passi, the High Court recently considered the issue of an employee retaining confidential documents belonging to his former employer in the context of the employer’s application for an injunction seeking the return of such documents from the employee.
Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
We regularly encounter disputes relating to Service Level Agreement provisions - here we provide four top tips that you can use to minimise disputes.
The Highway Code has had its first major revision since 2007. Amongst several changes, a new hierarchy has been created, with road users who are most likely to cause harm having the greatest responsibility to reduce the threat they may pose to other road users (rule 204 of the Code).
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
We were delighted to be joined by Dr Nigel Sturrock, Regional Medical Director for the Midlands at NHS England and NHS Improvement. He gave an overview of the pressures placed on the NHS by the pandemic, including the impact on urgent and emergency care, elective procedures and staffing.