Caught with its hand in the cookie jar, Google must now pay the price for its wholesale infringement of privacy rights

Posted: 18/10/2019

On 2 October 2019 the Court of Appeal provided a green light to Richard Lloyd to proceed with his representative class action against Google LLC. This was brought on behalf of users of Apple’s Safari internet browser whose privacy rights were allegedly deliberately ignored and denied for commercial gain. The landmark decision overturned Mr Justice Warby’s dismissal of the claim in October last year.

Mr Lloyd is seeking relatively modest damages - c £175 per person - on behalf of an estimated four million Apple iPhone users, whose web browsing activity was tracked by Google LLC over several months in 2011 and 2012. Most controversially, those users’ private browser generated information (BGI) was subsequently sold to advertisers without their knowledge or consent. The scheme has been nicknamed the “Safari Workaround” and, given the number of users affected, this covert and illicit commercial practice may lead to a total damages award of around £3billion.

What is the Safari Workaround?

By exploiting a loophole in Apple’s Safari default settings, Google was able to place its DoubleClick Ad cookie onto users’ iPhones, without their knowledge or permission, whenever they visited a site containing content from Google’s advertising network. The cookie enabled Google to gather BGI from the affected iPhone users.

The BGI collected a broad range of information including the person’s interests, health status, gender, race, social class, political views and financial position. The court heard that Google subsequently grouped this information into categories such as “football lovers” and “current affairs enthusiasts”, and then sold the data on to subscribers of Google’s DoubleClick service. Advertisers could use this “gold dust” data to target their ads at specified users, based on their interests, habits and personal characteristics.

The law

Mr Lloyd argues that Google’s activities amount to a breach of section 4(4) of the Data Protection Act 1998 and he seeks compensation in the form of damages under section 13. The claim relies on the “representative parties” procedure under CPR 19.6.

In contrast with the Morrisons data breach claim (due to be heard by the Supreme Court next month), brought by all affected individuals as claimants, under a group litigation order (GLO), this “opt-out” class action is brought by Mr Lloyd alone, as sole claimant (on behalf of the class of users whose data was used).

The Court of Appeal’s decision

The Court of Appeal’s decision sheds light on significant legal principles for representative actions under CPR 19.6 and in relation to the laws governing data protection:

• As a person’s control over their personal data or BGI has economic value (evidenced by the fact Google could monetise it), the “loss of control” over this data must therefore have an economic value.
• As the class affected sustained the same loss by losing control of their personal BGI, they therefore share the same interest under CPR 19.6 (1). In this respect, the court can award a per capita sum of damages to each individual in the class.
• The representative class is not unidentifiable as it can be identified by reference to the data held by Google.
• Damages can be awarded under section 13 of the Data Protection Act 1998 for a loss of control over personal data irrespective of whether there is a monetary loss or distress to the claimants.
• Significantly, it was recognised that, in practice, claims of this nature can only be pursued by representative actions. Therefore, given the wholesale and deliberate misuse of personal data without consent and implemented to achieve commercial profit, the claim should proceed.

Takeaway points

Representative “opt-out” claims are not common in the UK.  So-called “opt-out” claims are those where individuals are automatically included in the group of potential claimants if they meet the relevant criteria, unless they elect otherwise. The infrequency of these claims has been linked to the arduous requirements to identify a “shared interest” among the pool of litigants pursuant to CPR 19.6. However, the decision of the Court of Appeal in this instance might encourage a new perspective to group action proceedings and an increase in “opt-out” group actions.

The decision serves as a warning to tech giants to give serious consideration to data breaches and misuse of consumer information. That said, prospective litigants should note that a “seriousness threshold” is likely to apply, possibly preventing claims arising from a “one-off” data breach.

In this case, however, that threshold was more than breached with Sir Geoffrey Vos noting the need:

“to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”.

Definitely not, therefore, a negligible breach of rights.

Google LLC has confirmed that it will appeal to the Supreme Court.

This article has been co-written with Hannah Fricker, a trainee solicitor in the commercial dispute resolution team.

Return to news headlines