Introduction
The UK Court of Appeal today allowed a representative action brought by Richard Lloyd against Google to proceed. Whilst this does not mean that US-style class actions are set to hit the UK, it is likely to lead to more litigation over data protection violations, including security breaches.
This note includes some technical data protection terms which are explained in our glossary here www.bit.ly/gdprwords.
What is the background to the case?
The case involves the so-called Safari workaround where it was alleged that Google unlawfully collected data from iPhone users. The case was dismissed last year and today the Court of Appeal granted an appeal against that judgement. You can read about the original case here https://www.corderycompliance.com/google-class-action-claim-rejected/
This was not a GDPR case. It was brought under prior UK law, the Data Protection Act 1998.
How big is this case?
The claimant’s best estimate at one stage was that the number of people affected was as many as 5.4 million people. Google’s estimate of the potential liability, if some of the claimants’ per capita figures for damages were accepted, was between £1 and £3 billion.
It is also significant that the claimants have secured litigation funding from Therium Capital Management to bring the case.
What happens next?
This case will now go back to court unless Google decides to appeal to the Supreme Court. Google can apply directly to the Supreme Court within 28 days to appeal today’s judgment.
The Court of Appeal has not at this stage decided in the claimants’ favour but they have allowed the case to be brought. There are still significant hurdles for the claimants to overcome including justifying the level of damages sought.
There are likely to be additional significant developments in group actions in data protection cases soon. A claim against BA in connection with its data breach is, we understand, scheduled for a preliminary hearing this Friday. We can also expect more developments in the Morrisons case, which again follows a security breach, which we wrote about here https://www.corderycompliance.com/client-alert-court-of-appeal-confirms-morrisons-vicarious-liability-for-actions-of-rogue-employees/.
This case will not be – as some have claimed – an opening of the floodgates. It will however add focus for companies involved in a data protection issue and remind them that any fines they may end up paying to a data protection authority may only be part of the loss they suffer.
We report about data protection issues including litigation here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong Cordery Lexis House 30 Farringdon Street London EC4A 4HHOffice: +44 (0)20 7075 1784 jonathan.armstrong@corderycompliance.com |
Andre Bywater Cordery Lexis House 30 Farringdon Street London EC4A 4HHOffice: +44 (0)20 7075 1785 andre.bywater@corderycompliance.com |
![]() |
![]() |