Lloyd v Google LLC
According to the Supreme Court “Case Details”, Richard Lloyd has issued a claim alleging that Google has breached its duties as a data controller under the DPA to over 4m Apple iPhone users during a period in 2011- 2012, when Google was able to collect and use their browser generated information.
The respondent (Lloyd) sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way.
He applied for permission to serve the claim out of the jurisdiction. Google opposed the application on the grounds that:
(i) the pleaded facts did not disclose any basis for claiming compensation under the DPA and
(ii) the court should not in any event permit the claim to continue as a representative action.
Google’s use of the “Safari Workaround” in 2011-2012.
Google used a ‘Double Click Ad cookie’ on Safari devices to enable the presence of tailored ads to their users based on their browsing history. This cookie was not placed by the operator of the website, but by a third party, in this case Google. Its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, whenever the user visited a website that contained DoubleClick Ad content. This resulted in Google being able to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information about users. The information collected included: IP address, the ads viewed, and frequency of visits by users, the user’s approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking of BGI enabled Google to obtain information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
Mr Lloyd argued that Google’s tracking and collection of data was in breach of the data protection principles contained in Schedule 1 to the Data Protection Act 1998. More specifically, the principles one, two, and seven were breached:
1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Since Google is based in the United States, Mr. Lloyd required permission to serve out. Mr. Justice Warby refused permission to serve out on the grounds that the claim did not disclose a basis for seeking compensation under the DPA 1998.
According to the Supreme Court ‘Case Summary’ the issue addressed is whether the respondent should have been refused permission to serve his representative claim against the appellant out of the jurisdiction (i) because members of the class had not suffered ‘damage’ within the meaning of section 13 of the Data Protection Act 1998 (‘DPA’); and/or (ii) the respondent was not entitled to bring a representative claim because other members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or (iii) because the court should exercise its discretion to direct that the respondent should not act as a representative.
The UK’s Supreme Court ruled in favour of Google on Wednesday morning (10th of November), in a landmark case which could have resulted in the payment of up to £3bn ($4.06bn) in damages. Google’s Supreme Court appeal claimed that compensation can only be awarded for financial damage or mental stress. It also said that the present claim is not suitable as a representative claim