The case concerns the so-called “safari workaround,” which placed cookies on the devices of millions of iPhone users between 2011 and 2012 without obtaining the necessary consent of the relevant users. By doing so, Google was able to obtain information about these users and their browsing activities, which it leveraged in order to present targeted adverts on behalf of its advertiser clients, in breach of European data privacy law.
The claim was initiated in 2017 as a “representative action,” a type of action in which the claimant (Mr. Lloyd) could bring a claim on behalf of a class of individuals who share the same interest. In the current case, this class of individuals sharing the same interest was users of Apple’s iPhone browser, Safari, between 2011 and 2012. The action bears resemblance to the opt-out class actions that are more common in the United States but have rarely been seen in the UK due to the courts’ narrow interpretation of the relevant Civil Procedure Rules.
Before the claim itself can be heard, Mr. Lloyd needs permission from the UK courts to serve the proceedings on Google in the United States (i.e., out of the Court’s jurisdiction). This application failed before the High Court, where the judge ruled that no damage had been suffered by the relevant individuals, and that they did not share the same interest as required to bring the representative action. However, the Court of Appeal overturned this decision, finding that: (i) “loss of control of personal data” was a damage in and of itself and could therefore give rise to compensation; and (ii) the parties represented by Mr. Lloyd all shared a common interest. Google appealed this decision to the Supreme Court, which gives rise to the current hearing.
This is arguably one of the most significant data privacy cases heard by the UK courts. Ask anyone in the industry, and they will tell you that Big Tech is watching with interest (and a good deal of concern) given the possible impact of the outcome. Even if Google emerges unscathed from the Supreme Court, the fact that the Court of Appeal even allowed this first-of-its-kind class action case to proceed will set teeth on edge at the thought of a flurry of further class action suits.
We’re still at the early stages of the case, but some commentary risks misleading businesses. Even if Google were to lose, it has been suggested that the Court could water down the mooted £3 Billion liability to the point where it wasn’t worth pursuing action. If this were to happen, however, any champagne popping would be premature.We would be in the calm before the storm as the Court would still essentially have opened the Pandora’s Box of litigation. You only have to look at the explosion of consumer complaints to the Information Commissioner’s Office (ICO) to see we’re now living in a world where individuals are much more conscious of their privacy rights and prepared to exercise them. Further, a number of claimant-focused law firms have recently emerged, and existing big players in this market have ramped up their advertising with data protection and data breach claims seen by many as the next personal injury. As such, we may have just seen the class action touchpaper lit.
Since the GDPR came into force, businesses have been coming to terms with the need to update their data privacy practices, policies and business models to avoid the risk of potentially huge (four percent of global revenue/turnover) fines. This now adds a “double jeopardy” to the mix.
From a legal perspective, this case represents one of the first opt-out representative actions to come before UK courts. Typically, such cases are opt-in, requiring applicants to secure the consent of all those pursuing the case. Now, we’re seeing the UK move toward an American model where representative actions are made on behalf of everyone who is a member of a particular class of claimant–that we’re even seeing this case enter the court is significant in itself.