UK Supreme Court Blocks $4.3B Class Action Against GoogleGoogle Illegally Accessed Personal Data in 2011, 2012, Lawsuit Says
The U.K. Supreme Court unanimously decided on Wednesday to block a $4.3 billion class action lawsuit filed against technology giant Google.
Richard Lloyd, a former director of the nonprofit consumer group called Which?, filed the suit in 2017, and it alleges that Google accessed millions of iPhone users’ personal information illegally between June 1, 2011, and Feb. 15, 2012. Lloyd was later joined by six other claimants, including the U.K. Information Commissioner's Office, the Open Rights Group, and the Internet Association. Together, they call themselves Google You Owe Us.
'Bitterly Disappointed' vs. 'Positive Developments'
A ruling favoring the claimants would have forced the tech giant to pay out to 4.4 million people who used iPhones between 2011-2012 in England and Wales.
The UK Supreme Court handed a bitter blow to British consumers today, slamming the door shut to access to justice when our data rights are abused by companies like Google. Now is the time for Government to legislate to protect our privacy. Full statement: https://t.co/rrJiVt4DqJ— Google You Owe Us (@GoogleYouOweUs) November 10, 2021
"We are bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other Big Tech firms who break the law. They have overturned a very clear ruling by senior, expert judges in the Court of Appeal," says Lloyd, the lead claimant in the case.
"Although the Court once again recognized that our action is the only practical way that millions of British people can get access to fair redress, they’ve slammed the door shut on this case by ruling that everyone affected must go to court individually," he adds.
"The ruling today gives Google and the rest of Big Tech the green light to continue misusing our data without consent, knowing they will go unpunished. It is a dark day when corporate greed is valued over our right to privacy," says James Oldnall, Lloyd’s solicitor and managing partner at the law firm Milberg London.
On the other hand, David Barker - a partner at Pinsent Masons, the firm representing Google in this case - welcomed the verdict.
"[It] is a very positive development for data controllers of all sizes. The judgment will be read closely by those interested in the wider U.K. class actions landscape," he tells Information Security Media Group.
"The decision upholds the notion that compensation for a nontrivial breach of the Data Protection Act 1998 can be made only if the data subject has suffered some form of material damage - i.e., tangible financial loss - or if they have suffered distress. And simply put, Google’s aggregation of personal data albeit could have been wrong and for which the company did pay a compensation in the U.S., was insufficient to cause any real-world harm or mental distress," says Barker.
The Supreme Court's 60-page judgment states that Lloyd’s case hadn’t proven "what, if any, wrongful use was made by Google of the personal data of any individual" affected by the data breach. Because of this, it added, a claim for damages cannot succeed.
The Safari Workaround
In 2017, Google introduced a feature called DoubleClick Ad cookie to the Safari browser, which could operate as a third-party cookie, says the Supreme Court's judgement, which cites technical details disclosed by Lloyd in his claim.
The DoubleClick Ad cookie enabled Google to identify visits by the device user to any website. "It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what advertisements were viewed for how long. In some cases, by means of the IP address of the browser, the user’s approximate geographical location could also be identified," the judgement notes, citing Lloyd.
Barker argues that "Google sought to protect user privacy through [this] segregation of data." The approach worked effectively on other browsers, but there were difficulties in implementing the feature for users of the Safari browser due to Safari’s handling of third-party cookies, he says. He adds that Google therefore identified a workaround to implement the feature on Safari browsers through the DoubleClick Ad cookie.
Lloyd's claim is based on the fact that Google did so despite Safari's default settings blocking all third-party cookies, and without the user’s knowledge or consent, says Lord Leggatt, a Justice of the Supreme Court of the U.K., in his judgement.
The Safari workaround was eventually discovered in 2012 by Stanford University researcher Jonathan Mayer and reported by The Wall Street Journal. Google claimed that the loophole was unintentional, and its senior vice president of communications and public policy, Rachel Whetstone, reportedly told the news platform that the company “didn’t anticipate this would happen.”
The same year, the company paid a $22.5 million civil penalty to the U.S. Federal Trade Commission over the Safari workaround.
Representative Action Failed
Lloyd was not only representing himself but also millions of residents in England and Wales whose data had been collected without appropriate user consent during the said period, according to the Supreme Court judgement. Thomas van Hellemondt of software solutions firm Wrangu called this a landmark case because it was the first time in the U.K. that an individual had claimed a U.S.-style class action representing others, without all those affected actively opting in.
But The Law Society Gazette says that distinction is what made the case "doomed to fail." It would have had a “real prospect of success” if pursued by Lloyd as an individual, but could not be proven on behalf of millions of others, Lord Leggatt said in his judgement.
Leggatt also said that the "the possibility of future mass-action lawsuits, if damages could be calculated, is not ruled out," the BBC reports. And this case will "have implications for similar mass-action lawsuits," Leggatt told the BBC, citing the ongoing lawsuits against TikTok and Facebook.
The Road Ahead for Class Actions
Claimant lawyers and litigation funders, including those backing other representative actions that are currently paused, will study the judgment closely to identify whether representative actions in the data space could be viable notwithstanding the Supreme Court's approach, says Barker.
He is quick to point out, however, that Leggatt, in his analysis, makes it clear that his stance is positioned under the Data Protection Act 1998 and not the GDPR.
The GDPR provides compensation to individuals who have suffered "material or non-material damage as a result of an infringement of this regulation", according to Article 82(1).
Additionally, "the recital 85 states a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned," says Barker.
But the GDPR refers to the "infringement" and not "contravention," and recital 85 refers to loss of control but does not contemplate that all infringements will give rise to a loss of control. Thus, "the differences between the two regimes do not appear to offer significant scope for distinguishing any new claims brought under the GDPR from the precedent now set by Lloyd v. Google," he says.
In a separate judgement on Wednesday, the General Court of the E.U. at Luxembourg dismissed an appeal by Google against a European Commission ruling that the company had abused its dominant position in the search market by favoring its own comparison shopping service over competing comparison shopping services in 13 European countries. A fine of 2.42 billion pounds (approximately $2.77 billion) was upheld.