UK Supreme Court opposes billion-dollar privacy class action against Google
On November 10th, 2021, the UK Supreme Court issued a long-awaited judgment in the Lloyd v Google case and denied the class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users back in 2011 and 2012 to proceed further. The 3 billion GBP lawsuit, which was filed on behalf of 4.4 million residents in England and Wales, had implications for other class-action lawsuits filed in the U.K.
The case was originally filed by Richard Lloyd on behalf of the group “Google You Owe Us.” The group accused Google of bypassing Apple iPhone security by collecting personal information of users on the phone’s Safari web browser between August 2011 and February 2012. A U.K. court dismissed the case in October 2018, but it was later overturned by the UK Court of Appeal.
In a final decision in the case dating from last week, the Supreme Court ruled in favor of Google, deciding that the representative claim against Google under the Data Protection Act 1998 (DPA) should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following points:
- the statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data and
- the representative claim by Lloyd on behalf of the 4.4 million affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage because of that violation.
“The claimants seeks damages,” Judge George Leggatt stated the decision, “for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach.” Judge Leggatt also said, “Without proof of these matters, a claim for damages cannot succeed.”
The decision will be welcomed by controllers, as it limits the prospects of representative claims of the nature of that advanced by Lloyd and further provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects do not represent sufficient ground for compensation.