Google's 'Safari workaround' setback holds lessons for representative actions — and for privacy-breaching companies
09 Oct 2019 12:00 am by Vesela Gladicheva
Google's recent defeat in the "Safari workaround" case is unlikely to open the floodgates for a rush of similar mass UK damages lawsuits, but should still provide a roadmap for claimants — something companies accused of breaching privacy rules would do well to note.
Last week's appeal court ruling allowing the "Google You Owe Us" group claim to proceed is not a clear green light for representative actions, not least because the US technology giant is looking to challenge the judgment in the UK's highest court.
But the judges' decision was significant, in that it cleared the way for the claimants to try to win damages in the alleged data misuse without having to prove they suffered monetary loss. The representative group claim seeks billions of pounds in damages for personal data Google allegedly harvested from iPhones almost a decade ago.
In that, the appeal court ruling may provide a clue to successfully bringing similar types of claims for data breaches, using the underdeveloped UK procedure for representative actions.
That means consumer-facing companies collecting or processing significant amounts of personal data will be especially interested in the outcome of the case, as an indication of whether violation of data-protection laws might open them up to lawsuits and financial loss beyond any regulatory fine.
What they will be watching in the near term, though, is how successful Google is in challenging the recent decision.
— Next round —
The Supreme Court will have three months to decide on the validity of such an appeal, after Google submits its application within 28 days of the judgment. The court may well deem the challenge valid, given the public interest in data breaches and the fact the case raises important issues about an individual's control over personal data in an increasingly digital society.
The lead claimant in the case, consumer activist Richard Lloyd, and the group Google You Owe Us allege that Google gathered the browser-generated information of around 4.4 million people in the UK between August 2011 and February 2012 by bypassing default privacy settings on the Safari browser on Apple iPhones.
The appeal judges' conclusion was significant in that it allowed claimants to recover damages for loss of control of their data under the UK's 1998 data-protection rules without proving pecuniary loss or distress. They also ruled that browser-generated information has economic value, since it can be sold to advertisers wishing to target users with ads.
If the Supreme Court confirms the Court of Appeal's ruling, the claimants will spend around 18 months arguing Google's liability and the level of compensation through the standard UK court processes. This will start with obtaining a defense disputing the claims and supporting documents from the US tech giant.
The main trial will consider the facts of Google's infringement and the level of compensation due to class members. Google fought back against the appeals ruling in a press statement last week, when it said its data-harvesting practices at the heart of the case occurred almost a decade ago and that it addressed them at the time.
— Rare procedure —
The representative action is a possible recourse under UK civil procedure rules that stipulate that if individuals have the same interest in a claim, they can bring it collectively. But it has rarely resulted in successful claims.
"The representative action provision has been in place for over 100 years, and there have only been a handful successful applications," James Oldnall, a partner at law firm Mishcon de Reya, which is leading the claimants' case, told MLex.
"It does have quite careful limitations to it, so I think it should only apply in relatively unique circumstances," he said after the appeals ruling on Oct. 2.
It remains to be seen how attractive the procedure will be for lawyers, given it achieves lower compensation levels than group litigation orders do. Representative actions — where there the individual class members don’t need to be identified or to authorize the claim — focus on the "lowest common denominator," where each person can claim a share of any damages won. That's because the representative action isn't based on the facts of how the individuals were affected by the infringement. It’s different from the more popular class-action mechanism of a “group litigation order,” where claimants must opt in to the proceedings.
— Recipe for success —
Assuming the appeal ruling stands, what are the key characteristics of a claim deemed suitable to proceed as a representative action, that could end up threatening the bottom line of companies accused of violating data-protection laws?
One of the key findings by the Court of Appeal concerned the definition of "damage" under UK data-protection rules. It found that could apply to loss of control of personal data, which could in turn qualify users for compensation. But there must be a threshold of seriousness for such claims, the judges ruled, excluding purely trivial cases such as "an accidental one-off data breach that was quickly remedied."
The ruling also confirmed the main features of the representative procedure, namely that claimants should have the same interest and be affected in the same way by the contravention as their representative.
Litigants in the Google case argued that all in the entire class of individuals have exactly the same interest as Richard Lloyd, because their rights under the UK’s 1998 Data Protection Act were breached and they have all suffered identical distress.
Lawyers seeking to bring similar cases using the representative procedure will also find the judgment helpful in respect of the size of the class — fixed at the beginning of the litigation.
"With this ruling, it's been made clear that size of the class is no barrier and that the court is prepared to take a practical approach to trying to find a way to make it work," Oldnall said.
Valid claims should further be limited to alleged deliberate and widespread misuse of personal data without people's consent and with the purpose to make commercial profit.
— Attract attention —
The judgment will grab the attention of companies accused of breaching privacy rules, according to Jonathan Armstrong, partner at London-based firm Cordery.
It will "remind them that any fines they may end up paying to a data-protection authority may only be part of the loss they suffer," he said in a blog post.
Major tech companies, retailers and other consumer-facing companies collecting or processing significant amounts of personal data will be especially interested in the outcome of the case, as data breaches or basic violations for the GDPR could expose them to representative actions.
But for now, until the action against Google is resolved, the mechanism of a group litigation orders seems likely to continue to be the more common procedure for collective action cases in the UK.
The case number is A2/2018/2769 Lloyd -v- Google LLC.
03 Aug 2020 9:29 pm by Ana Paula CandilCompanies are pressuring Brazilian lawmakers to delay implementation of the nation's data-protection law from Aug. 16 until next May.
Biggest cyberattack ever caused $15 billion loss to customers of companies directly hit, though banks softened impact, study says31 Jul 2020 12:00 pm by Neil RolandThe most damaging cyberattack ever in 2017, caused a $15 billion loss to customers of companies directly hit, a federal study said.
International companies more prepared than local companies for Brazilian data protection law, Alves says30 Jul 2020 11:00 am by Ana Paula CandilInternational companies are much more prepared for Brazil's new data protection law than Brazilian firms because they already comply with similar legislation.