Google Supreme Court ruling: ‘The potential onslaught of mass class actions in a data protection context has been held at bay’

Today, the UK’s Supreme Court has rejected a claim that sought to gain billions in damages from Google LLC over alleged illegal tracking of over four million iPhone users between 2011 and 2012.

The Supreme Court unanimously ruled in Google’s favour in a landmark case.

The case was brought by Richard Lloyd, a former Director at Which?. The accusation alleged that Google cookies collected data on health, ethnicity, sexuality and financial circumstances through Apple’s Safari web browser, despite users not choosing to have their data tracked in their privacy setting.

The potential fine for the global tech firm would have been one of the largest in history.

Following the ruling, Lloyd commented: “We are bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other big tech firms who break the law. Although the court once gain recognised that our action is the only practical way that millions of British people can get access to fair redress, they’ve slammed the door shut on this case by ruling that everyone affected must go to court individually.”

Impact on free speech

This case is an important one for several reasons – one of which being that the outcome has implications for the ability of individuals to use data protection claims to get around protections for free speech.

Christina Henry, a Senior Associate in the litigation practice at media, technology and IP law firm Wiggin LLP said: “The Supreme Court has today clarified that compensation for a contravention of data protection law (albeit pre-GDPR) in and of itself cannot be awarded. There must be damage (of some sort), which needs to be assessed and proved on an individual level. For businesses this is good news: the potential onslaught of mass class actions in a data protection context has been held at bay.”

The Supreme Court has unanimously ruled in Google’s favour in a landmark case today. Had the judgment gone the other way, it would have had a significant impact on the volume and nature of litigation in the data privacy sector.

Commenting on the judgment, Gareth Oldale, head of data privacy and cybersecurity at UK law firm TLT, said: “Any organisations processing large volumes of personal data would have had a lot riding on this decision, as the theoretical value of damages awards for data protection representative actions is enormous and could even run into the billions for larger claims. The decision to allow the appeal will likely prompt those that have already filed large data protection class actions against businesses in the tech, financial services, retail, and hospitality sectors to reconsider their position and strategy. It does not mean that claims will disappear overnight, but this judgment does present a significant barrier to large groups of individuals bringing consolidated claims against a common controller.

“Key to this case was the question of whether or not a uniform sum of damages can be awarded to each member of the represented class without the need to prove any facts particular to that individual. To put it another way, are damages payable in a case where the claimant does not prove either what unlawful processing of personal data occurred or that the individual suffered material damage or mental distress – is ‘loss of control’ of the data sufficient to give rise to damages being payable? The Supreme Court has resoundingly concluded that this approach is ‘unsustainable’. In particular, the court held that the legislation ‘cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement’.

“Big tech companies like Google, along with other large institutional organisations, banks, retailers and multi-national groups, will all take comfort from this judgment. But with a well-established group of claims management companies in the UK committed to pursuing data breach claims en masse, the most important question now is not whether they will desert this market, but rather how they will change their litigation strategy to continue pursuing claims on behalf of their clients. Data controllers would be well advised to review the judgment carefully, and consider how it will impact on their approach to managing data breach claims and complaints moving forwards.”

Impact on data protection

Further to the Lloyd v Google Supreme Court judgment, with the appeal being unanimously allowed, Cristina Crețu, Senior Privacy & Technology Consultant at MPR Partners, an international law firm, shares her thoughts.

“Today’s judgment in Lloyd versus Google LLC sets an interesting (and in our view correct) precedent regarding class actions for damages arising from infringements of the data protection rights. The most important takeaway in our view is that, in order for an action for damages to be successful, an interested party must prove that there is a contravention by a data controller of any of the requirements of the data protection legislation and that such contravention caused damages to that individual. Thus, for future reference, any similar action for damages should follow a two-stage procedure: (i) establishing whether the data controller was in breach of the data protection legislation and only afterwards (ii) claiming compensation.

“The second stage will require an opt-in mechanism to be observed, entailing on one side the need to obtain sufficient information from each individual to support their claim with regards to the loss suffered and to determine if the individual is eligible to be part of the group action and on the other side for the individual to opt in regarding such action. It is clear from today’s judgement that general damages cannot “be awarded on a uniform per capita basis to each member of the represented class without the need to prove any facts particular to that individual”, as Mr. Lloyd had requested. Whilst class actions suffered a setback today, if interested parties are willing to learn some lessons from this case, the future of actions related to compensation for data protection breaches in the UK does not have to be bleak.”