BLOG POST: Lloyd v. Google Class Action by Liam Walker
News and information from the Advent IM team.
On 10th November 2021, the UK Supreme Court handed down a highly anticipated judgment in the case of Lloyd v Google. The case brought by Mr Lloyd was a representative action on behalf of several millions of individuals who were allegedly subjected to the use of unlawful Google advertising cookies in their Safari browsers and would have awarded compensation of roughly £3bn to the data subjects had it been successful. The Court ruled that compensation will not be awarded to data subjects for a ‘loss of control’ of personal data, under the Data Protection Act 1998. In its judgment, the Court went on to confirm that a data subject may only be awarded compensation when they have suffered some form of material damage (e.g., actual financial loss, distress, reputational damage).
The judgment represents a victory for data controllers, who will undoubtedly feel better protected against similar representative actions for privacy breaches in the future. The ongoing claims of alleged breaches of data protection legislation by TikTok, Facebook and the Marriott hotel chain are unlikely to be pursued in light of the decision on Lloyd v Google. Similarly, Big Tech companies may feel emboldened by the Supreme Court’s decision, to disavow the duty of care that they have for users’ privacy. In this particular case, Google is alleged to have unlawfully used tracking technology to collect personal information about data subject activity online, and subsequently faced no penalty for doing so. After the Court recognised that group action is the practical way in which data subjects can seek redress, the judgment that followed sends the wrong message to citizens. There is a growing pattern of alleged – or actual – malpractice by the technology giants that is investigated and summarily swept aside following a warning or the payment of a nominal monetary penalty.
In light of the continued malfeasance of the Big Tech companies and the court rulings made in their favour, how can the average data subject hope to maintain meaningful control of their personal data and seek recourse when an organisation breaches that right?
It is notable that the case of Lloyd v Google was brought under the Data Protection Act 1998, because the alleged processing took place between 2011 and 2012, and so the judgment does not set a precedent for this kind of case that may be brought under the General Data Protection Regulation (GDPR) or the UK GDPR. Those Regulations explicitly state, under Article 82, that ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’, so there is clearly scope for similar representative actions to be brought in future. Likewise, under common law jurisdiction, the tort of ‘misuse of private information’ could allow claimants to pursue recourse in certain circumstances. With the advent of GDPR and other similar data protection legislation worldwide, the rights of data subjects have been enhanced and protected in principle, though the true acid test for how well they are enhanced and protected is the enforcement of the relevant legislation by the regulators and supervisory authorities. The ICO – and other supervisory authorities – often receive criticism based on their supposed ineffectiveness, and if the court of public opinion signals that it desires stronger enforcement, it should follow that the regulators will look to sanction and restrain the organisations that would undermine the rights and freedoms of data subjects.