Billions in data protection lawsuits rides on Google's last-ditch UK Supreme Court defence for Safari Workaround sueball
Biggest data protection case for years teeters on brink
Google has urged the UK's Supreme Court to throw out a £3bn lawsuit brought by an ex-Which director over secretly planted tracking cookies on devices running Safari, on the grounds that local law doesn’t allow for opt-out class action lawsuits.
The case, being heard over two days this week in the Supreme Court, the final court of appeal in Britain for civil cases, has huge implications for legal businesses and investors as well as data protection law. At stake is a previous Court of Appeal ruling, as well as up to £3bn for a venture capital fund backing former Which man Richard Lloyd's case.
Lloyd fronts a campaign called Google You Owe Us. He seeks somewhere between £1.5bn and £3bn from Google in damages for breach of statutory duty – but before that can be argued about, he needs legal permission to serve the case on Google LLC in the US.
The High Court refused that permission in 2018; the Court of Appeal overruled it a year later and said yes (with some very pointed observations from a senior judge as it did so); and now Google wants a return to the status quo from the Supreme Court.
Antony White QC for Google told the court yesterday: “In our submission it is an important point of reference in this case that under the general law, a claim in tort of breach of statutory duty is not actionable per se; it requires proof of harm.”
When is a class action not a class – or an action?
Class actions, in the US sense, are almost unknown over here because until the Court of Appeal’s 2019 ruling, the UK didn’t have a so-called “opt out” class action procedure. In America anyone can start a class action on behalf of however many millions of people they want and it’s up to members of the class to say “not in my name” if they don’t want to be part of it; in the UK the situation used to be the other way around.
To start a representative action (the English legal name for a class action) members of the class all need to have exactly the same “interest” in the case. Here, Google argues that of the potentially millions of Britons affected by its Safari Workaround, nobody can tell how many people suffered damage (in the legal sense) by being tracked around the web. Therefore, the adtech monolith says, Lloyd’s case is fundamentally flawed and ought to be kicked out.
Kate Macmillan, a consultant for law firm Herbert Smith Freehills, explained the “same interest” test for The Register, saying the principle this case could establish would apply to a lot of different circumstances.
“In this instance one person’s use – a user visiting a dictionary website for example – will be very different to another’s such as a super user's,” said Macmillan. “The latter is likely to be entitled to a higher award of damages than the former. Or to give another practical example, consider the problem in relation to a representative action involving rent increases where those with higher incomes are subsiding those with lower incomes. Claimants would be differently impacted – so could one say there is ‘relief beneficial to all’?”
They’re all different so shouldn’t all sue at once
Back in the courtroom, White expanded on Google’s case: “We submit that where loss of control over personal data does have significantly harmful consequences for an individual, compensation can be awarded but the harm being compensated in such circumstances is not the abstract fact of loss of control but the harmful consequences it has had for the individual.”
This is an unbroken line of argument stretching back to the High Court, where a 2018 witness statement made on Google’s behalf said: “The Claimant’s attempt to characterise every Class member as suffering the same loss is contrived. It is self-evident that individual Class members would have had very different experiences, and those experiences bear directly on whether (and if so how) they can claim to have suffered any loss at all.”
White’s argument that loss of control is separate from damage, in legal terms, may not hit home. Sir Geoffrey Vos, Chancellor of the High Court, gave this short shrift when he heard the case in the Court of Appeal. Similarly, Lady Arden, one of the Supreme Court judges, trenchantly observed yesterday: “You can’t just pull out one strand and say ‘no harm’. You also have to look at the responsibility of the data holder, whether its actions were proportional or not.”
Echoing Lady Arden, Lord Leggatt said: “Let’s say if you’re detained wrongfully for five minutes you’re not going to get any significant award. If you were to look at this wrong in the same way, there are still going to be cases aren’t there, where the breach is such that nominal damages are appropriate.”
If the Supreme Court gives permission for the case to go ahead, Google will have to defend its sneaky implanting of tracking cookies with reference to section 13 of the Data Protection Act 1998 (“Compensation for failure to comply with certain requirements”), which was in force when the badness occurred.
The legal industry and speculators are watching closely
Lots of law firms and big-ticket lawsuits depend on Lloyd winning: to list a few, these include the British Airways sueball, a similar one proposed against Easyjet, and one in the works against Facebook plus one more in a weird public-private partnership against Tiktok.
In each of those cases there is a financial backer who stands to profit handsomely from the damages, taking up to half of the sum awarded against the allegedly naughty company – which explains why the maximum claim runs to hundreds of millions or even billions of pounds. Advocates for these representative actions say they are the only way that Joe and Josephine Average can claim any meaningful compensation for wrongs done to them in those cases.
Today the court will hear from Hugh Tomlinson QC, for Lloyd, and from Gerry Facenna QC on behalf of the Information Commissioner’s Office which supports Lloyd’s case. ®