The Supreme Court will hand down a judgment on Wednesday in what has been described as one of the most significant cases in recent legal history: Lloyd v Google.
Richard Lloyd is suing Google for collecting web browsing data from iPhone users between 2011 and 2012, despite the American technology giant claiming at the time that it was prevented from doing so by the Safari browser’s default privacy settings.
He brought the claim not just as an individual affected by Google’s actions, but as someone who is representing over four million people in a ground-breaking representative action.
If Mr Lloyd wins, the US technology giant could be forced to forfeit billions to compensate affected iPhone users who could potentially claim a tariff of up to £750 each as Mr Lloyd stated in his letter of claim, although a much lower figure is likely.
But the real importance of the case will be its effect on case law.
A judgment against Google could throw open the doors to representative actions in Britain in other data protection cases, allowing consumer rights defenders to bring claims against companies that breach privacy law.
The judgment in London will come on the same day that the company receives a ruling in its appeal against a record €4.34bn (£3.8bn) fine from the European Commission for forcing phone manufacturers to pre-install its apps.
How did this begin?
Almost a decade ago Google was caught secretly placing an advertising tracking cookie on Safari web browsers – whether used on iPhone, Mac, or iPad – despite assuring those users that they would be opted out of this tracking by default.
The workaround was discovered by Jonathan Mayer, then a graduate researcher at Stanford University. At the time, Google said that the data collection was accidental and it did not mean for the feature to bypass the Safari browser’s default security settings.
What did Google do?
As explained by the FTC: “Google placed a certain advertising tracking cookie on the computers of Safari users who visited sites within Google’s DoubleClick advertising network, although Google had previously told these users they would automatically be opted out of such tracking, as a result of the default settings of the Safari browser used in Macs, iPhones and iPads.
“Google specifically told Safari users that because the Safari browser is set by default to block third-party cookies, as long as users do not change their browser settings, this setting ‘effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie]’.
“Despite these promises, the FTC charged that Google placed advertising tracking cookies on consumers’ computers, in many cases by circumventing the Safari browser’s default cookie-blocking setting.
“Google exploited an exception to the browser’s default setting to place a temporary cookie from the DoubleClick domain. Because of the particular operation of the Safari browser, that initial temporary cookie opened the door to all cookies from the DoubleClick domain, including the Google advertising tracking cookie that Google had represented would be blocked from Safari browsers.”
The company subsequently settled with the US Federal Trade Commission over the breach, paying a then record civil penalty of $22.5m in August 2012.
The company also paid $17m to dozens of states in the US in admitting that it had collected this data for the purposes of advertising while informing users that it wouldn’t, though it did so in a settlement which did not accept any liability.
How did it end up in the Supreme Court?
Richard Lloyd first notified Google of the claim in 2017 and applied to the courts for permission to serve the claim out of the jurisdiction, as Google is based in the US.
Although the High Court initially refused the claim, the Court of Appeal upheld it and said that while Mr Lloyd’s “opt-out” style class action was “unusual” it was permissable as iPhone users during this period were all victims of wrongdoing and suffered the same loss.
Google appealed against this decision, escalating the case to the UK’s Supreme Court which will have to decide what damages are due to the affected iPhone users, whether those users all suffered the same harm, and whether representative actions are the proper way to tackle these issues.
What will the impact be?
Jamie Curle, a partner at law firm DLA Piper, described the judgment as “one of the most eagerly awaited decisions of recent years” and said it would have “a significant impact on the volume and nature of litigation in the data privacy arena”.
“The question many will want answered is whether this judgment will represent the dawn of US style class action litigation for data protection claims or will the traditionally more conservative views of the English judiciary prevail?” added Mr Curle.
“All eyes will be on this Supreme Court judgment to help answer many of the open questions of law surrounding representative actions for data protection related claims,” said Ross McKean, a data protection partner also at DLA Piper.
“Claimant law firms and their funders have a lot riding on this decision, as does any organisation processing personal data, as the theoretical value of damages awards for data protection representative actions is huge, running into the billions for larger claims.”