A consumer rights activist, who was seeking £750 compensation from Google for each of 4 million iPhone users affected has lost his case in the Supreme Court. Had he won the case, it is estimated the damages would have cost Google up to £3 billion.
Mr Lloyd brought the action against Google after it admitted by-passing browser settings to place tracking cookies on consumers’ iPhones without their knowledge or consent, during a period of some months in 2011 and 2012. The cookies enabled third-party businesses to target their advertising. Google was fined by US regulators for this breach of privacy laws.
Mr Lloyd brought the ‘opt-out’ litigation on behalf of iPhone users. This is a form of representative action where individuals form part of the action unless they choose to opt-out. Mr Lloyd’s case had previously been heard in the High Court and Court of Appeal.
The Supreme Court had to decide whether Mr Lloyds was allowed to serve proceedings on Google in the United States on behalf of consumers in England and Wales. It also had to consider the merits of Mr Lloyd’s representative action.
The Supreme Court judges unanimously ruled in favour of Google. They concluded that iPhone users had only suffered trivial damage for loss of control of their data and that this was insufficient for them to receive flat-fee compensation in a representative action. To receive damages, they would need to prove financial loss or distress, which could only be assessed on an individual basis.
The case related to the Data Protection Act 1998 and the ruling may not apply under the newer UK General Data Protection Regulation (UK GDPR).
James Burgoyne of Brunel Professions said: “Professional firms usually hold significant amounts of data about their clients, some of which may be personal and sensitive. While this Supreme Court decision seems to take away some of the risk of firms facing class action in the case of a data loss – it does not reduce their responsibilities to protect client data under GDPR. Data controllers must take great care to ensure that their clients’ sensitive data is held securely at all times. Professionals should also consider risk transfer measures such as appropriate cyber-liability insurance.”