Series
Blogs
UK – Lloyd v Google: A one-off or the floodgates opening for privacy class actions?
UK – Lloyd v Google: A one-off or the floodgates opening for privacy class actions?
4 October 2019
Series
Blogs
4 October 2019
The Court of Appeal has allowed a representative action against Google to proceed, thus potentially opening the way for opt-out class actions for privacy breaches. We consider the wider implications for privacy litigation.
This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without the individual’s knowledge or consent. This was a clear breach of privacy laws by Google which was fined by US regulators.
Mr Lloyd launched a representative action against Google for this breach. The use of a representative action is important as it is a form of “opt-out” litigation - the claim is made on behalf of everyone who is a member of a particular class of claimant. It contrasts with a Group Litigation Order, such as that used in the Morrisons’ litigation (here), which is “opt-in” and requires individual claimants to decide to become party to the litigation.
This opt-out structure allowed Mr Lloyd to claim on behalf of more than 4 million affected individuals in England and Wales. This could lead to significant liability. Mr Lloyd suggested they should receive approximately £750 compensation each, which indicates a total liability for Google of up to £3 billion.
The High Court dismissed the claim describing it as “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches”.
However, the Court of Appeal reversed this decision and allowed the representative claim to proceed. It has done so on the basis of three key findings:
While Mr Lloyd is claiming £750 per head, the Court’s findings might suggest a much lower figure. In particular, for the claimants to all have the “same interest” their claim must not only be limited to a claim for loss of control, but must also be based on the “lowest common denominator”.
In other words, it appears that the claim must be based on something like a single use of the Safari browser and a single instance of that user’s browsing data being unlawfully obtained by Google. While the Court states the damages “will not be nothing”, it remains to be seen if they will be next to nothing. There is a risk the litigation may turn out to “not merely not have been worth the candle, it will not have been worth the wick” (Jameel v Dow Jones [2005] EWCA Civ 75).
The other important issue is whether this case is a one-off based on the exceptional circumstances of the Safari workaround or is the basis for representative actions to be brought in other cases.
Much of the judgment suggests that this may be peculiar to its facts. Vos LJ’s criticism of Google is trenchant referring to “clear, repeated and widespread breaches of Google's data processing obligations and violations of the Convention and the Charter” and the individuals’ personal data being “deliberately and unlawfully misused, for Google's commercial purposes, without their consent and in violation of their established right to privacy”.
Moreover, the Court clearly states that there is a threshold of seriousness. A claim for loss of control of personal data would not arise in relation to “an accidental one-off data breach that was quickly remedied”. Instead, in such a case, the individual would likely need to prove actual damage, non-material damage or distress.
Perhaps the most important takeaway from this judgment is how seriously the Court of Appeal takes the fundamental right to privacy and data protection.
Representative actions may well remain rare and limited to situations in which there is a deliberate and widespread misuse of data, but claims for breach of data protection in other contexts seem likely to find a sympathetic reception in the English courts. For businesses who are subject to obligations to notify individuals about privacy failures – particularly long-term security breaches – there are likely to be representative actions brought against them, irrespective of their longer term merits, as a result of this decision. US readers may well feel that is no more than a correction of UK practice, bringing the launch of privacy related class actions in the UK more into line with that of the US; but that won’t reduce the likely impact on UK plc.
Google have said they will appeal the decision. Even if that appeal is lost, there will need to be a substantive hearing to consider liability and, more importantly, quantum.
Lloyd v Google LLC [2019] EWCA Civ 1599 is available here.