The Lloyd vs Google case began with the finding that Google secretly breached the data privacy of Safari browser users through Apple devices, despite assuring them that this would be prevented by default security settings, between 2011 and 2012.
Google responded by stating that the data collection was accidental, and that the corporation did not intend for the feature to bypass the settings.
Consumer rights activist and former director of Which? magazine, Richard Lloyd, alleged that Google breached the core data protection principles with respect to data processed, in relation to more than four million Apple iPhone users, and seeked damages on behalf of the users.
If the court ruled in favour of Lloyd, Google could have been forced into paying up to £3 billion in compensation to users, but today’s verdict will prove a blow to data privacy campaigners, who have been pushing for the payout of damages.
What are the best ways to ensure user privacy?
Challenges from Google
In October 2018, the High Court initially ruled that Lloyd could not serve the claim on Google outside the jurisdiction of England and Wales in October 2018, but this was overturned by the Court of Appeal in October 2019.
Google then objected to that ruling at the Supreme Court, and has now won the case, restoring that original decision.
The corporation’s lawyers argued at the hearing that the landmark ruling could “open the floodgates” to vast claims against companies responsible for handling data.
Antony White QC told the Supreme Court that “a number of substantial representative actions have been commenced seeking compensation for breach of data protection rights” since the Court of Appeal’s judgment.
What’s next for data privacy in the UK?
“Representative” actions “closed off”
In the wake of today’s Supreme Court decision, Nick McAleenan, partner in media law at JMW Solicitors, commented: “On the face of it, this decision is about the intricacies of data breach law, and how very large legal claims can be run in court. However, it is also about balancing the legal rights and interests of ordinary consumers and those of the large organisations which process all of our personal data.
“Parliament has previously declined to introduce legal mechanisms allowing “opt out” data breach class actions, and the Supreme Court’s decision has a similar effect. Group claims remain possible for data breach victims, but one potential avenue for running such a case – “representative” actions – has practically been closed off by this decision.
“It will be interesting to see whether other European countries take a different approach as data breach litigation evolves on the Continent. Also, the decision increases the importance of the Information Commissioner to regulate data law compliance where procedural issues prevent access to justice for data breach victims.”