The Hackitt Review- Two years on
The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in Lloyd v Google  EWCA Civ 1599. In summary, Google are appealing the Court of Appeal’s unanimous decision granting Mr Lloyd permission to serve his representative action on Google outside of the jurisdiction.
The Supreme Court hearing is yet to be listed, and may not take place until 2021, however, in the meantime, we take a look back at the history of this landmark action that has significant implications for data protection law and practice.
In Lloyd v Google , the High Court refused to permit a class action for compensation against Google. Mr Lloyd alleged that between 2011 and 2012 Google had used its ““DoubleClick cookie” technology to secretly track the internet activity of Apple iPhone users and then collated, used and sold the data, all in breach of the Data Protection Act 1998 (“DPA”). This method is known as the “Safari Workaround”.
The claim was brought in a representative capacity on behalf of all other individuals who had used devices which meant they were subjected to the Safari Workaround without their knowledge and consent. It was also claimed that the (as yet unidentified) class had all suffered the same damage. The claim brought by Mr Lloyd, who is relying on an “opt-out” style of class action, is considered to be on behalf of an estimated 4.4 million iPhone users. Whilst there was no dispute it was arguable that Google’s alleged role was wrongful, and a breach of duty, the claim is unique in that Mr Lloyd does not allege any financial loss or distress, but an infringement of data protection rights leading to the loss of control of personal data. A successful action could widen the scope of data protection claims to include awards of compensation where there is no proof of distress or material damage, but evidence of a loss of control over personal data.
The High Court dismissed Mr Lloyd’s application for permission to serve Google outside of the jurisdiction on the grounds that Mr Lloyd (and other members of the class) had not suffered material damage or distress.
Mr Lloyd appealed to the Court of Appeal, which overturned the High Court’s decision and held that the claim could proceed on the basis that all individuals within the representative action will have suffered the same deprivation of their rights flowing from the loss of control over their personal data. Mr Lloyd was subsequently granted permission by the Court of Appeal to serve Google outside the jurisdiction.
The Supreme Court has now granted permission to Google to appeal the Court of Appeal’s decision. The appeal will relate to all issues previously addressed by the Court of Appeal, and specifically:
This case is an important indication on the limits of bringing a class action for data breaches following the inception of the General Data Protection Regulations (“GDPR”). When the GDPR came into force on 25 May 2018, many thought that it would pave the way for a surge in class actions. This is because the regulations made it easier for individuals to bring claims for compensation against data controllers and processors. Whilst this hypothesis is due to be tested by the Supreme Court, the decision is is unlikely to restrict access to justice for those claimants who properly meet the requirements of a class action.
Skip to content Home About Us Insights Services Contact Accessibility