Yesterday the Supreme Court issued its eagerly awaited judgment in the case of Lloyd v Google.
The Supreme Court received submissions from the Information Commissioner, as well as a handful of other interested parties including the Open Rights Group and the Internet Association, which demonstrates the potential ramifications of the judgment.
In 2011 and 2012, Google allegedly tracked the internet activity of several million iPhone users, without their consent. It did so by bypassing privacy restrictions within the iPhone’s Safari web browser to install a cookie for Google’s ‘DoubleClick Ad’ advertising service. The cookie then allowed Google to identify when the device visited any website displaying an advert from Google’s advertising network, as well as how long a user spent on different webpages. It is alleged that Google was, as a result, able to collect a vast array of information about a user and their preferences, for example their race, ethnicity, sexual interests, gender and religious beliefs.
In response to Google’s internet activity tracking, Mr Richard Lloyd (the “Claimant”) issued a claim for breach of the Data Protection Act 1998 (which pre-dates the current data protection legislative framework). He issued the claim on behalf of himself and all other iPhone users within England and Wales between the relevant dates, whose personal data was obtained by Google without consent through Google’s DoubleClick Ad cookie.
The suggested damages were £750 per user, which was roughly estimated to amount to total damages of £3 billion. The financial consequences of the judgment therefore could have been staggering.
The Claimant required the Court’s permission to serve the claim on Google out of jurisdiction. Google had contested the application for permission, on the grounds that the claim had no real prospect of success.
The High Court found in favour of Google and refused permission for the Claimant to serve the claim. The Court of Appeal subsequently reversed this decision, causing Google to appeal to the Supreme Court.
The Supreme Court allowed the appeal in favour of Google and refused the Claimant’s application for permission to serve proceedings out of jurisdiction, for the following reasons:
The claim was for a breach of the Data Protection Act 1998 and the Court did not confirm how its findings apply in relation to the UK GDPR and Data Protection Act 2018 currently in force. As a result, the judgment has not ruled out the ability to bring a successful claim for damages on the basis of loss of control of personal data under the current data protection regime. However, it has definitely created a high threshold that must be established if such a claim were to succeed, as any claim under the current framework would need to differentiate itself from the precedent set by the Lloyd v Google judgment.
The outcome is undoubtedly a positive one for a huge number of businesses which collect and process personal data on a large scale. It is easy to see the speed at which potential damages could multiply if claimants are not required to identify the damage suffered by each individual data subject within a class. A different outcome may well have left businesses more reluctant to invest in innovation which involves the processing of significant quantities of personal data, due to an increased risk of substantial compensation claims.
For more information please contact the Data Protection Team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
