Mr Lloyd continues to cause problems for Google.
Mr Lloyd a former director of ‘Which?’ has brought a representative action against Google, on behalf of 4.4 million iPhone users. The Claimants allege that Google secretly tracked some of their internet activity for commercial purposes between 2011 and 2012.
He alleges that Apple’s Safari web browser allowed Google to ascertain the date, time and duration of visits to pages and advertisements, they collected data on internet browsing habits along with the users’ location. Mr Lloyd alleges that Google tracked this information even when users had opted for a ‘do not track’ privacy setting.
Crucially, it should be noted that Google paid $22.5 million in damages on the same issue in the US in 2012.
The High Court put a stop to Mr Lloyd’s claim in 2018 on two grounds. Firstly, the Claimants had failed to identify any harm caused by the alleged breach, which was required for damages to be awarded under the Data Protection Act 1998. Secondly, Mr Lloyd did not have the ‘same interest’ as the 4.4 millions iPhone users he purported to represent, he could not therefore bring representative proceedings.
And so the case moved on to the Court of Appeal. On 2 October 2019 they reversed the High Court’s decision.
The Court of Appeal held that damages could be awarded for loss of control of data, even if there is no financial loss or distress. Also, that the Claimants did have the same interest and the High Court should have exercised its discretion to allow the action to proceed.
The Court of Appeal agreed that if the allegations are proven then Google should be held ‘to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit’.
The matter will now be heard in the High Court. If the Claimants win, then damages could run to £750 per iPhone user leaving Google with damages of £3.2 billion to pay.
Google are of course seeking permission to appeal to the Supreme Court, and there may yet be another twist in this tale.
The case continues to be a reminder to large commercial organisations of not only reputational damage, but the substantial financial penalty that can arise from data breaches.
When the GDPR was introduced there was a great deal of focus on the level of potential fines that could be imposed by the ICO. However with this case and a Group Litigation Order having been granted on 4 October 2019 for half a million British Airways customers to bring a claim following a data breach in September 2018, organisations may also be faced with claims for substantial civil damages too.