The recent Court of Appeal case Lloyd v Google [2019] held that a group of 4.4 million iPhone users are permitted to proceed with their claim in the High Court against Google.

The case relates to Google’s data breach between 2011 and 2012 where Google misused the claimants’ personal data for commercial purposes. In 2018, the case was heard in the High Court which ruled that the claim could not proceed.

The claim against Google was brought by Mr Richard Lloyd, former director of Which?, who represents 4.4 million iPhone users in a consumer campaign group called “Google You Owe Us” (the Claimants). The Claimants allege that Google secretly tracked some of their internet activity for commercial purposes between 2011 and 2012.

The central issue in the case was whether or not the Claimants would be permitted to bring a representative action against Google.

Background

Mr Lloyd alleged that between 2011 and 2012, through Apple’s Safari web browser, Google identified visits to any website displaying an advertisement from its vast advertising network, and collected considerable amounts of information. Google could tell the date, time and duration of visits to such pages and advertisements. Additionally Google could collect data from the Safari browser on users’ internet browsing habits as well as their ethnicity, health, sexuality, political views and finances.

The user’s approximate geographical location could also be identified through the browser’s IP address. The Claimants allege that Google could track such information even when users had opted for a “do not track” privacy setting.

In 2012, Google paid $22.5 million in damages on the same issue in the United States.

High Court judgment

In the High Court in 2018, the Judge had dismissed the Claimants’ application for permission to serve notice of legal proceedings on Google in the USA, which prevented the court proceedings from going ahead.

The grounds upon which the High Court refused permission were:

  1. Damages under the Data Protection Act 1998 The claim did not disclose a basis for compensation under the Data Protection Act 1998 (DPA 1998). This was on the basis that the Claimants had failed to identify any harm caused as a result of the alleged breach and simply claimed compensation for the fact of the infringement and associated loss of control over the personal data. The High Court required proof of damage; and
  2. Representative Proceedings The court would not allow the continuation of the representative proceedings. The Civil Procedure Rules provide that a claim may be commenced or continued by or against one or more people as representatives of any others who have the “same interest” in the claim. The High Court initially found that this requirement was not satisfied.

However, the Claimants were granted permission to appeal the High Court Decision in the Court of Appeal.

Court of Appeal

On 2 October 2019, the Court of Appeal reversed the High Court Judge’s decision and permitted the Claimants the right to proceed with representative proceedings against Google in the High Court in London.

The Court of Appeal concluded the following issues:

  1. Damages under the Data Protection Act The Court of Appeal held that damages are capable of being awarded for loss of control of data (section 13 of the Data Protection Act 1998) even if there is no financial loss or distress caused by a data breach. This principle is clarified in the General Data Protection Regulation (GDPR), but as the incident in question pre-dates the GDPR, it is the DPA 1998 that is relevant.
  2. Representative Proceedings It was held that the High Court Judge exercised his discretion using the wrong basis as to whether the action should proceed. The Court of Appeal ruled that the Claimants did have the same interest under the Civil Procedure Rules and such interest was identifiable.
  3. Exercise of High Court Judge’s Discretion The Court of Appeal held that the High Court should have exercised its discretion to allow the action to proceed. The Court of Appeal acknowledged the significance of the case; Sir Geoffrey Vos C stated that “this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”.

Consequences

The claim will now be heard in the High Court and the level of damages will be determined by the Court if the Claimants win.

The Claimants have estimated that if they were to win at the High Court trial, damages could run to £750.00 per iPhone user which would cost Google a total of approximately £3.2 billion.

Google has announced that it will seek permission to appeal to the Supreme Court on the basis that they believe the claim has no merit and should be dismissed.

The case will be the first representative action brought against a technology company for misuse of personal data in the UK. It serves as a reminder for large commercial organisations of the potentially significant financial consequences arising from data breaches that could affect millions of customers. If an organisation commits a data breach, it is not only the regulatory fines that organisations need to be aware of, but also claims for damages if litigation such as Lloyd v Google is successful.

The influence of group litigation, and therefore the significant financial impact, following Lloyd v Google has already been demonstrated; on 4 October 2019, the High Court granted permission for half a million British Airways customers to bring compensation claims against the airline for a data breach that occurred in September 2018.