Google wins appeal against UK class action-style suit seeking damages for Safari tracking – TechCrunch

Google won an appeal at the UK Supreme Court against a class-action-style privacy litigation -- it avoided what could have been upto PS3BN in damages if it lost the case.
Richard Lloyd, a veteran consumer rights activist, brought the long-running lawsuit. He claims that Google used a Safari workaround in order to override iPhone users privacy settings in Apple Safari browser between 2011 & 2012, and seeks compensation for the breach for the 4 million+ UK iPhone owners affected.

Lloyd's lawsuit sought damages for privacy damage. The suit sought to establish that a representative action can be brought in the UK for compensation for data protection violations. This was despite the absence of a generic class action system in UK law.

In 2018, the High Court stopped the suit from proceeding. However, the Court of Appeal reversed the judgment the next year and allowed the lawsuit to proceed.

Today's unanimous Supreme Court ruling essentially reverses the High Court view: Blocking the representative actions.

The Supreme Court justices affirmed that damages/losses must be sustained in order to be compensated and that it is impossible to skip the need to prove each individual's damage/loss. This means that compensation cannot be applied for the "loss" of control of personal data for all members of the class claimed, as Lloyd litigators wanted.

The Supreme Court summarizes its judgment by writing, "Without proof in these matters, a claim to damages cannot succeed."

This ruling will severely limit the ability of UK campaigners to bring class action suits against the tracking industry.

If Google had lost the judgment, it would have opened up the door to other representative actions for privacy violations. The appeal was won by the adtech company and will likely put an end to UK class action suits targeting data-mining tech companies. These suits have attracted commercial litigation funders in recent years.

BLM, a law firm, responded to today's judgment by saying that it was "fun for Google and all organisations that handle significant amounts of data and base their business models on personal data (as also their shareholders and/or insurance companies)".

Linklaters LLP described the judgment as "a major blow to claimant law companies and funders who had hoped for a new opt-out regime for damages in relation to the data breach sphere".

Harriet Ellis, Linklaters' dispute resolution partner, stated that "we would expect a lot more similar claims to be issued in its wake now," in a statement. "Claimant companies will carefully examine the decision to determine if any opt-out classes actions can still be brought. It looks very difficult.

Mishcon de Reya is the law firm that represents Lloyd. We have reached out for their comments.

Google's own response to the Supreme Court judgment did not include any discussion about the case details. It only wrote:

"This claim is related to events that occurred a decade ago that we addressed at that time. People want to feel safe online. That's why we have focused for years on creating products and infrastructure that protect and respect their privacy.

A spokesperson for Google pointed out a statement made by techUK trade association. This association had supported Google in the case and wrote today that "had the appeal not been denied, this would have opened up the possibility for speculative claims to be made against data processors with grave consequences for public and private organizations."

The UK trade association claims that it does not oppose representative legal actions, but it believes it is right to first establish whether the individual has suffered damage as a result data breaches before seeking compensation.

The Supreme Court justices noted that the cost of opting in (rather than opt out) litigation can make it difficult to access justice in cases with individual claims worth less than 100 pounds each. In the Lloyd litigation, the suggested amount was PS750 per person. This is because the case administration costs associated with processing individual claimants may easily exceed the claim's potential value.

TechUK opposes representative legal actions that are brought about by data violations.

The UK's data protection watchdog has, however, shown a total lack of willingness to enforce law against data-mining adtech industries -- despite warnings by the ICO since 2019 about rampantly illegal tracking.

The UK government is currently consulting on weakening its domestic data protection system.

The question of how the average UK citizen can get the privacy rights UK laws claim wraps their information on paper seems a bit murky.

There is so much at stake today, given the other cases that depend on Lloyd. We'll see if Rumbul vs Salesforce will be decided.

McCann v Google

TikTok for children

Facebook v Jukes There are many issues at play, but they all have a class problem. Robert Bateman (@RobertJBateman), November 10, 2021

Google, the US's cookie tracking company, entered into a consent agreement with the FTC a decade ago. It agreed to pay $22.5M in 2012 to settle charges that it had bypassed Safari's privacy settings and served targeted ads to customers (but not accepting any wrongdoing).

Responding to the Supreme Court judgment, rights groups called for the government's legislation to provide collective redress.

Jim Killock, the Open Rights Group's executive Director, stated in a statement that there must be a way for individuals to seek redress for massive data breaches without risking their homes and without relying solely on the Information Commissioner.

"The ICO can't act in all cases and sometimes is unwilling to do so. The ICO claims that the Adtech industry is illegally operating. We have waited for over two years. There has been no indication of any action.

"But it would be absurd for anyone to put their home at risk over court fees in cases such as this. This is what we have left without a collective mechanism: data protection against tech giants is often very difficult to enforce in many cases.

"The Government should not change its word and reconsider implementing collective action under GDPR. This was specifically rejected by the Government in February, on the ground that Lloyd vs Google demonstrated that existing rules could be used to provide recourse."