On Monday, it was widely reported that Google is facing a “groundbreaking” £3.2billion lawsuit for allegedly tracking 4.4 million UK iPhone users’ browsing data without their knowledge. Google is said to have circumvented privacy settings on Apple’s Safari browser between July 2011 and August 2012 – what’s being called the Safari Workaround – to harvest personal data and profile individual users.
But will the historic group claim – known as a ‘representative action,’ in which a lead claimant represents the interests of a much larger group – actually be given the go-ahead? That's not clear. At the moment, campaign group Google You Owe Us, led by consumer advocate and former Which? director Richard Lloyd, faces a number of challenges in establishing the claim.
This is the first time a collective claim with the hope of pursuing compensation has been lodged for issues of data protection in the UK. The case, currently being heard in the high court, dragged onto a third day yesterday with Apple raising a number of more substantial legal issues over the past few days. The initial hearing was intended to address whether the case could be heard within the UK’s jurisdiction.
According to the lead claimant Lloyd, Google was yesterday seeking dismissal on the basis of a lack of legal precedent, and argued that individuals should pursue compensation on their own. But it's unlikely, says Lloyd, that individual consumers would even try bringing a giant like Google to court for what they admit would be a small claim, somewhere in the region of a few hundred pounds - especially given that the UK legal system requires the loser to pay the other party’s costs.
But this is precisely what makes the case suitable for being tried as a group claim. “These breaches probably do cause an element of distress and inconvenience to a large number of people,” says Sean Humber, specialist in data protection and partner at Leigh Day, a law firm which specialises in group claims. Though they may not have life-changing consequences, he says, in a world where data breaches are more common and more topical, there is a good case for such representative claims - which are clearly not going to be fought on an individual basis.
And elsewhere in the world, Humber says, such cases are already well-established. Though the UK’s tradition of representative actions is less well-tested, they are “already common in other jurisdictions and the sky has not fallen in," he says. This type of case, he says, addresses a real problem: "what do you do when the law has clearly been broken, people are entitled to compensation, but frankly, probably a modest amount - and it’s hard to otherwise bring a claim?”
So will the case actually go ahead? For that too happen, the claimant needs to demonstrate that all of the 4.4 million iPhone users face the same issue as consumers, so that their cases are tried collectively. While Google disputes that users’ loss was uniform, those bringing the case argue that the fact of the violation of privacy rights should act as a litmus test and enable all involved to claim compensation. “What we’re saying is that everyone was affected in the same fundamental way in that their data rights were breached,” Lloyd says.
Exactly how ‘loss’ should be quantified in the context of privacy is not straightforward, but the claimants in previous similar cases argued that limited distress provides grounds for a small amount of compensation. In the current case, Google You Owe Us is arguing that the loss of control of one’s personal data amounts to a meaningful claim for limited compensation in itself. Lloyd also stresses that data breaches can and do often happen without consumers becoming aware of them for some time, if at all – yet a loss of rights still takes place.
And for the claim to be established, the claimant would also need to convince the judge that there is a plausible plan for contacting all 4.4 million people and enabling them to access the theoretical damages. The campaign group says that it has set out a programme for reaching individuals through social media, and will enable them to verify that they were affected with the help of personal data held by companies like Google and Apple. That would then show clearly whether, for instance, they were in possession of an Apple ID at the time.
The £3.2billion figure being quoted, Lloyd says, actually derives from Apple’s own calculations of roughly £727 per person, according to a revised estimate agreed between both parties that 4.4million people were affected. This figure likely relates to an upper limit of compensation of £750 set in 2013 by a case called Halliday v. Creation Consumer Finance Ltd. The new GDPR regulations, coming into force from Friday, will make it much easier for claimants to pursue compensation for non-monetary loss.
Tom Price, Google’s Head of Communications, says the ‘representative action’ – akin to a US ‘class action’ – has “no merit and should be dismissed.” The case “relates to events that took place over six years ago and that we addressed at the time,” he adds. Google has been arguing that the case should not be tried in the UK because the company is based in California and headquartered in Delaware – yet lawyers are arguing that since the company operates in the UK and the data breach affected UK consumers, there is every reason to try the case here.
Legal experts suggest the case has a good chance of going ahead given its legal merit has already been established in a smaller case with very similar facts, Vidal Hall v Google in 2015. It was eventually settled out of court, with Google withdrawing their appeal before it got to the Supreme Court, though the courts judged it warranted a full trial, and also that damages for distress and non-pecuniary losses could be awarded in data protection litigation.
What is really interesting about this litigation, says Orla Lynskey, assistant professor of law at the London School of Economics who specialises in data protection, “is that it is a sign of things to come in terms of data protection enforcement. Until now, data protection law has been largely under-enforced as individuals have not been sufficiently organised and regulators have not been sufficiently resourced to tackle the power of data giants”.
While a lot of attention has been on the fines that can be issued by regulators under the GDPR, “an equally significant development,“ she says, is the possibility for individuals to mandate NGOs and civil society organisations to take this type of representative action on their behalf. “Google and others will therefore need to get used to individuals pursuing accountability in this way,” Lynskey says.
In the US, two Democrat senators have recently urged the Federal Trade Commission (FTC) to investigate “potential deceptive acts and practices used by Google to track and commoditize American consumers” through the tracking of their location data even when location services are turned off. Back in 2012, the FTC fined Google $22.5 million for violating a commission order that it would not use cookies on Apple’s Safari browser or serve those users targeted ads. At the time, this was the largest penalty ever levied by the FTC.
“The courts need to recognise,” says Lloyd, “that there is literally no other way that mass numbers of people affected by a data breach could hold firms to account and get some redress. There’s nothing else realistically they could do.” Seeing the case go forward would be a landmark step, giving people the power to take massive companies on.
This article was originally published by WIRED UK
