The High Court in the UK has rejected a class action against Google thereby limiting multi-party litigation for data breaches to identifiable individuals who have suffered specific damage.
The representative action was brought by consumer advocate Richard Lloyd, who leads the campaign group ‘Google You Owe Us’. It was alleged that Google breached its duties under the Data Protection Act 1998 by tracking the internet activities iPhone users over a number of months in 2011-2012. The action claimed that Google placed cookies on the Safari browser which used a workaround to bypass restrictions, called the ‘Safari Workaround’. This data was then used to sell targeted advertising.
The Safari Workaround had already resulted in a number of penalties and actions against Google in the US – and in the UK with the Vidal-Hall v Google case.
Lloyd sought to take the action on behalf of all residents of England and Wales who had been affected by the workaround. In the UK a representative action is similar to a class action where one party of an affected group represents the group. Lloyd sought to take the claim as an ‘opt-out’ action where members of the class do not need to be identified or involved in the proceedings. It was estimated that 4.4 million users may have been impacted in the jurisdiction. With suggested damages of £750 per individual, this may have led to total compensation of between £1 and £3 billion.
Lloyd was therefore seeking permission from the Court to serve proceedings on Google in the US. In assessing this, the Court looked at whether there was a basis for compensation under the 1998 Act, and whether the case could proceed as a representative action.
While the Court found it could be argued that Google’s actions were “wrongful, and a breach of duty”, it reinforced the need to prove damage as a result of data privacy breaches in order to claim compensation. The Court failed to find evidence of harm to Lloyd or others, and rejected that the very fact of infringement alone was sufficient to show damage. The Court felt that this would open the floodgates to trivial data breaches.
In terms of the requirements of a representative action, the Court found it impossible to practicably identify all members of the class. The Court also found that each member of the class may not have been affected in the same way. The breaches may have impacted different members in the different ways, depending on whether they were infrequent or heavy users, or their attitude to protecting their data. The Court was also of the view that lawyers would be the primary beneficiary of any award as the compensation for individuals would be relatively low.
As such, the Court refused permission to serve proceedings on Google in the United States. Lloyd has indicated his intention to appeal the decision.
Ireland does not yet have a class action mechanism. Despite recommendations from the Law Reform Commission to introduce a mechanism for multi-party litigation, no such proposals have been implemented. In the wake of the Tracker Mortgage Scandal, the Multi-Party Actions Bill 2017 has been working its way through the Dáil.
Click here for the judgement in Lloyd v Google.
Click here for a previous PILA Bulletin article on Vidal-Halls v Google.
Click here for FLAC’s submission on the Multi-Party Actions Bill 2017.