Justice Warby of the Judiciary of England and Wales recently handed down his judgment in the case of Lloyd v Google LLC, which denied permission for claimants to bring a class action against Google for a breach of the Data Protection Act 1998 known as the “Safari workaround.” This decision, although taken under the “old” data protection rules, may also have consequences for any subsequent actions taken under the new data protection legislation – the GDPR and the Data Protection Act 2018.
The claimant – Richard Lloyd – had sought permission from the Court to serve proceedings on Google LLC (such permission required to be sought due to Google being a foreign entity and having previously refused to accept service of the proceedings).
To remind ourselves of the facts of this case, the claim alleged that during 2011-2012, Google had illegally (and secretly) tracked the activity of Apple iPhone users which it then used to collate and sell on. Google obtained and used this data, known as the “Safari Workaround” by applying some exemptions to the generally in place block on third party cookies within the Safari browser which effectively allowed Google to enable a cookie on a device without the user’s knowledge and/or consent immediately when the user visited such a site.
The claim was brought by Mr Lloyd on his own behalf but also on behalf of a class of other residents of England and Wales who were also affected by the Safari Workaround on the basis of an opt-out claim. The class of claimants sought compensation for damage caused by Google’s actions in relation to the Safari Workaround under section 13 of the Data Protection Act 1998 (the provisions dealing with compensation for failures to comply where an individual suffers damage and distress).
Each claimant was seeking around £750 for damage caused by Google. The class of claimants was estimated to be around 5.4 million people. This meant that the liability for Google if the figure was accepted would have been between £1 and £3 billion.
Justice Warby refused permission to serve the proceedings on Google LLC for the following reasons:
- the claim did not rely on a reasonable basis under the DPA 1998 for seeking compensation from Google LLC;
- the claim did not allege that the actions of Google LLC had caused any damage and/or distress to the claimants;
- there was no right to damages where there was no damage and/or harm to the individual; and
- the court did not think that the action would be successful due to the class not having the same interests (as the damage/distress caused would be individually ascertained and examined) and it would be impossible for the court to determine the members of the class.
The claim therefore will not be allowed to proceed at present.
We understand that, currently, the claimant intends to appeal this decision.
In terms of wider implications for the new data protection legislation – the GDPR and DPA 2018 – there has been a suggestion that such a decision would be unfavourable for future actions.
However, there may be likelihood of increased actions under GDPR and the DPA 2018 due to the fact that data subjects can now also claim for non-financial damage and/or loss – therefore making such claims easier to assert in any court action.
At the moment, only opt-in actions are permitted under section 187 of the DPA 2018 (the provisions dealing with the representation of a data subject (and most likely a group of data subjects) with their authority) – the UK will need to review this position by November 2020.