Google wins appeal in UK Supreme Court

17 Nov 2021
Written by: Tatiana Soteriou
 
On 10/11/2021, the UK ‘s Supreme Court issued its judgment in the case of Lloyd (Respondent) v Google LLC (Appellant) by ruling in favour of Google against a mass legal action in relation to wrongful collection of millions of iPhone users’ data.
 
Facts
Google created a new feature known as “social ads” on its now discontinued Google+ service and even though this sought to protect user-privacy, there were difficulties in implementing the feature for users of the Safari browser due to Safari’s handling of third-party cookies. Google, therefore, found a way to implement the feature on Safari browsers with ‘DoubleClick’, an advertising cookie which was set in a third-party context even though Apple’s stated policy at the time was that this would not be possible with the Safari browser. Therefore, it was alleged that DoubleClick cookies were set without the consent of users. Consequently, a legal action was initiated by Mr. Lloyd on behalf of around 4.4 million citizens of England and Wales, who were affected by this feature claiming an award of £750 per person in respect of their “loss of control” of their personal data.
 
The three key questions addressed by the Supreme Court were:
  1. Are damages recoverable under the DPA 1998 for “loss of control” of data, without needing to identify any specific distress or pecuniary loss?
  2. Does the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed?
  3. Should the Court exercise its discretion and disallow the representative action proceeding in any event?  
Decision by the Supreme Court
Supreme Court decided that the claim could not proceed for two reasons. The first reason was that, in order for a claim compensation to succeed, damage/loss must be suffered. Specifically, the Supreme Court emphasised s.13 of the DPA 1998 which provides that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.” and further clarified  the meaning of the term “damage” as  “material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself”. As to the second reason, the Supreme Court decided that the establishment of this damage or loss in an individual basis is a must and cannot be skipped. In other words, the Court explained that the compensation cannot simply be applied uniformly for “loss of control” of personal data for each member of the claimed representative class, but instead it needs to be proved which of the unlawful processing by Google of personal data is related to a given individual. In addition, the Supreme Court highlighted those factors like the period of time, volume of data, whether any sensitive or private data was involved and what use or benefit it afforded Google, would need to be considered per individual. If there is no evidence of these factors, the individuals are not entitled to compensation.

In any case, the Supreme Court made clear that for any individual to be entitled to compensation under the DPA 1998 “it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.” The Supreme Court’s judgment states that without proving either matter, the claimant’s attempt to recover compensation is “doomed to fail”.

The impact
The judgment illustrates the need for the claimants to prove damages, whether they are in the form of distress or financial loss, to successfully make a claim pursuant to s.13 of the DPA 1998 as the Supreme Court held that “compensation can only be awarded under section 13 of the DPA 1998 for material damage or distress caused by an infringement of a claimant’s right to have his or her personal data processed in accordance with the requirements of the Act, and not for the infringement itself”.

This decision relates with the current climate in the UK as it does not give the option for claimants to make claims on behalf of a “big team” of individuals without those individuals first being identified and particularising their claim.
 
 
 
 
 
MORE RELATED NEWS

Saudi Arabia Data Protection Compliance: National Register for Controllers and Data Protection Officer Requirements
Raphael Legal and Privacy Minders Author the Cyprus Chapter in the ICLG Data Protection Guide 2024
How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance
ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33
Email: info@privacyminders.com

Click here to Subscribe