Ex-Which? bod's £3bn Safari sueball has second shot at Google over UK data laws

It's the Safari Workaround – and there's no working around it this time

Updated The man who tried and failed to run a not-a-data-protection-class-action-honest-guv lawsuit against Google in England's High Court is having another crack at it in the Court of Appeal.

Richard Lloyd, a one-time director of consumer rights org Which?, is appealing against the High Court's judgment from last year which halted his multi-billion pound case against Google before it got out of the starting blocks.

In the appeal, which is being heard this week, Lloyd's barrister, Hugh Tomlinson QC, hopes to convince three senior judges that the High Court was wrong to rule that the 4.4 million people Lloyd claims to represent hadn't suffered "damage" from Google as defined in law.

"The claimant's case, put shortly, is that a combination of data protection law and the long established representative action procedure can provide an effective remedy for mass breaches of data protection rights where, in practice, as the judge recognised, neither individual claims nor a group litigation order are practically viable," Tomlinson told the Court of Appeal this morning.

The case (full history below) revolves around the old Safari Workaround dodge by Google. Lloyd claims that Google owes 4.4 million iPhone-using Brits a few hundred pounds each in damages for unlawfully snooping on their browsing habits, contrary to the Data Protection Act 1998. He has put himself forward as the "representative claimant" in what is almost, but not quite, a class action lawsuit.*

Among other things, he claims "all individuals who, at any date between 1 June 2011 and 15 February 2012... owned or were in lawful possession of an iPhone and used the Apple Safari internet browser on that iPhone to access the internet" were affected by Google's alleged lawbreaking.

Three judges will decide the appeal: the president of the Queen's Bench Division of the High Court, Dame Victoria Sharp (boss of Mr Justice Warby, the judge who made the original ruling); the Chancellor of the High Court, Sir Geoffrey Vos; and Lord Justice Davis.

Vos observed in court this morning: "It does seem to me, Mr Tomlinson, that you are eliding the infringement that led to damages and the damages themselves. I fully understand the difference between loss and damage but I don't see how you can reason from saying 'There's a bad breach', which some say they had cared about, and some who had suffered loss."

Opposing Tomlinson are his Matrix Chambers stablemates Antony White QC and Edward Craven. Supporting him are Oliver Campbell QC and Victoria Wakefield.

Where did all this start?

Around a decade ago crafty people at Google figured out a way of getting Google Doubleclick ad-tracking cookies onto the devices of Safari-using iPhone customers, defying Apple privacy controls, using a method called the Safari Workaround. That workaround tricked the browser into accepting a cookie on the false basis that a form submission was being made to Google every time it loaded a Google ad, as we reported in 2012 when the ruse came to light.

Google stumped up about four hours' worth of its 2012 revenues – $25m – to an American regulator as penance, and flung a further $17m at another bunch of aggrieved USians to make them shut up and go away.

Nonetheless, British privacy activist Judith Vidal-Hall sicced lawyers onto Google and the High Court ruled in 2014 that the Chocolate Factory could be sued in the UK, following desperate attempts by the adtech giant to claim it wasn't subject to UK law. Had it won, the case would have been thrown out. A year later the Court of Appeal stomped on Google's attempt to get that preliminary ruling overturned. Critically, Vidal-Hall and Google settled before the jurisdiction issue was decided by the Supreme Court, so the actual issue of whether Google had broken the Data Protection Act 1998 was never tried.

Along came Lloyd in 2018, and with him Therium Litigation Funding IC, "an investment vehicle associated with and advised by Therium Capital Management Limited". As well as paying Lloyd a salary of £50k "for up to four years" to act as public frontman for the lawsuit, Therium is potentially entitled to take up to half of the entire damages payout it hopes to squeeze from Google: up to £1.5bn, if the lawyers' sums are right. ®


* No such thing as a class action in the UK. This is a "representative action", as opposed to a group litigation order, and you can read an explanation of those terms here. Coffee may be required.

** Readers may recall that White and Tomlinson played much the same courtroom roles in the cases of pseudonymous businessmen NT1 and NT2 v Google, the Right To Be Forgotten trials. As in the present case, Tomlinson represented the claimants and White defended Google.

Updated to add

Richard Lloyd, the representative claimant, said: "Google's business model is based on using personal data to target adverts to consumers – making hundreds of billions in the process. Using personal data without consent is illegal.

"Despite the High Court acknowledging that millions of people did not give Google permission to use their data in this case, its decision blocked iPhone users' route to redress. This effectively slammed the door shut on holding Google to account.

"The overstretched data protection regulator has refused to stand up for consumers in this case. When the regulators fail to properly protect us against being ripped off by giant tech companies in this way, we have no alternative but to take action ourselves.

"The appeal today is significant not only for those affected by this case, but for consumers in the UK in the future who should be provided with effective legal mechanisms to hold the world's largest companies to account for mishandling our data."

Similar topics

Other stories you might like

  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • New York to get first right-to-repair law for electronics
    Hey, big Apple, how'd you like them Big Apples?

    Right-to-repair advocates are applauding the passage of New York's Digital Fair Repair Act, which state assembly members approved Friday in a 145–1 vote.

    The law bill, previously green-lit by the state senate in a 49-14 vote, now awaits the expected signature of New York Governor Kathy Hochul (D).

    Assuming the New York bill becomes law as anticipated, it will be the first US state legislation to address the repairability of electronic devices. A week ago, a similar right-to-repair bill died in California due to industry lobbying.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading

Biting the hand that feeds IT © 1998–2022