top of page

LLOYD V GOOGLE: UK SUPREME COURT CLOSES DOOR ON DATA PROTECTION CLASS ACTION

Writer's picture: Niclas JohannNiclas Johann
Apr 7, 20223 min read

On 10 November 2021, the Uk Supreme Court delivered its judgement in the much-discussed case of Llyod v Google. Lloyd had tried to sue Google in the name of over 4 million iPhone users in England and Wales that had allegedly suffered the loss of control over their personal data due to Google's unlawful use of the Safari Workaround. This technical exploit had allowed Google to place third-party tracking cookies on the safari browsers of iPhone users without their consent in 2011 and 2012.


Lloyd sought permission for a representative action lawsuit arguing that every user had suffered a 'minimum harm' by losing control over their data. He contended that this established the 'same interest' amongst class members he sought to represent as required by rule 19.6 of the Civil Procedure Rules (CPR). This reasoning was supported by the Information Commissioner (ICO; the UK's Data Protection Authority), which intervened as a third party. The total claim amounted to £3.3 billion, derived from a suggested award of £750 per person.


In the first instance, the Court ruled in Google's favour that Lloyd did not meet the requirements for a representative action. However, the Court of appeal subsequently overturned this judgment, granting Lloyd permission to pursue the claim further.


In its recent and final judgment, the Supreme Court again sided with Google and rejected Lloyd's arguments for applying a class-action lawsuit. It found that the Data Protection Act 1998 (DPA 1998) only grants a right to compensation where data subjects can prove material damage or distress. Although previous judgements in the area of the right to privacy had considered loss of control or misuse of data as sufficient damage in itself, the Court ruled that in the context of data protection, mere loss of power is not enough to give rise to such claims. Any recognition of damage would thus depend on each individual's specific case making a class action unsuitable.


It should be noted that the DPA 1998 differs from the UK GDPR and the DPA 2018, which have now replaced the former. However, commentators have found that the latter applies essentially the same criteria for awarding damages resulting from infringements as the DPA 1998, meaning that UK courts would likely nevertheless adhere to the precedent set in Lloyd v Google.


The Supreme Court's judgment thus effectively declared class actions for large-scale data protection infringements destined to fail. For Big Tech, this undoubtedly presents pleasant news as they would have otherwise faced numerous similar lawsuits. In the view of civil society organisations and privacy advocates, on the other hand, the judgement is detrimental to the enforcement of data protection standards. The negligible damage caused by an individual infringement and the extensive financial resources of tech firms makes it largely undesirable and risky for individuals to take companies such as Google to Court. At the same time, the UK Government has recently decided against adopting a collective redress mechanism under art. 80(2) GDPR precisely because class actions under rule 19.6 CPR supposedly sufficient remedies referencing the Court of appeal's ruling in Lloyd v Google.


The Supreme Court judgement thus deprives the UK of any class action remedy in the context of large-scale data protection infringements. NGOs have consequently urged the Government to reconsider introducing a data protection specific collective redress mechanism. Commentators have also emphasised the heightened responsibility of the ICO to enforce compliance with data protection law in light of reduced incentive for individuals or groups to litigate directly against tech companies.



References











コメント

bottom of page