Lloyd v Google: The Most Important Data Rights Case In UK History?
On 28 April, the U.K. Supreme Court hears Lloyd v Google — a vitally important case for the future of data rights. There’s a lot riding on this case.
Consumer rights advocate Richard Lloyd is suing Google over the “Safari Workaround”.
Lloyd alleges that Google set cookies without consent (surely not!) on over 4 million UK iPhones in 2011/12, despite Apple’s browser protections that attempted to prevent this.
The case has big implications for data protection in the U.K.
Why is it such a big deal?
There are several reasons why Lloyd v Google is so significant.
First, the case is a U.S.-style “opt-out” class action. The class members that Lloyd represents are unidentified. This is unusual in the U.K., and it’s first for a privacy-related case.
Second, Lloyd doesn’t attempt to prove any actual damage occurred to the class members. The case doesn’t claim that iPhone users lost money or experienced distress as a direct result of Google’s practices. “Loss of control” of personal data is cited as a harm in itself.
Third, there are several ongoing cases that hinge on Lloyd’s success.
Which other cases are dependant on Lloyd v. Google?
I’ve counted three ongoing class-action cases which for which Lloyd v Google has significant implications.
- McCann v YouTube: Duncan McCann of the New Economics Foundation is suing Google over its use of kids’ data on YouTube. I spoke to McCann about his case last September.
- Rumbul v Salesforce and Oracle. This case is on hold pending the outcome of Lloyd. I interviewed Rumbul about her £10 billion class-action last year.
- Jukes v Facebook: Byline Times editor Peter Jukes is suing Facebook over the Cambridge Analytica scandal. I also interviewed Jukes about this case.
- A child v TikTok: I covered this case last year, but we still don’t know much about it. The class representative is an anonymous 12-year-old girl [UPDATE: we now have more detail about the TikTok case: https://www.bbc.co.uk/news/technology-56815480].
Aren’t these opt-out “class actions” a bit American, anyway? Why is it a problem if they don’t happen in the U.K.?
While I’m no great fan of American-style litigious legal culture, there are two good reasons to support these types of cases.
First, it’s becoming a cliche to say this, but the GDPR is not being enforced. These class actions only hurt companies with deep pockets, and they mean we don’t have to rely on regulators
Second, under Art 80(2) GDPR, it is possible for a non-profit to bring legal action on behalf of data subjects without seeking their express permission. However, the U.K. government chose not to implement this provision into U.K. law.
When reaffirming its Article 80(2) decision earlier this year, the government specifically cited Lloyd v Google as evidence that the provision was unnecessary.
It’s already extremely difficult for people in the U.K. to exercise their data rights. If Lloyd v Google fails, it will get even harder.
