The appeal verdict was handed down last Wednesday (2 October). According to a statement from the law firm DLA Piper, the Court of Appeal held that a claimant could recover damages for loss of control of their data without proving pecuniary loss/damages. It said Lloyd would now be able to serve his claim on Google in the US and proceed with the representative action.
The Court ruled that the members of Lloyd’s class of potential claimants held the "same interest" as required by Civil Procedure Rule 19.6 (1). When the case was thrown out, the presiding judge, Mr Justice Warby, had said "there was no real prospect that Lloyd's claim would be permitted to continue as a representative action under CPR 19.6 because: (i) the class of claimants do not share the 'same interest' in the claim; (ii) the class is insufficiently defined; and (iii) for a number of reasons it would be appropriate for the court to exercise its overriding discretion not to allow the claim to proceed", according to DLA Piper.
The action seeks damages of £3.2 billion (US$4.3 billion) from Google for bypassing default privacy settings on the Safari browser on iPhones. The group has alleged that Google made huge amounts of money from selling targeted advertising, with US$80 billion earned from advertising in 2016.
The campaign's lawyers said race, physical and mental heath, political leanings, sexuality, social class, financial, shopping habits and location data were among the details collected by the search engine.
In a blog post, DLA Piper's Ross McKean, Jamie Curle, Andrew Dyson and Zoë Jensen pointed out: "The Safari Workaround enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, whenever the user visited a website that contained DoubleClick Ad content.
"It is alleged that this enabled Google to ascertain the date and time users spent on any given website; what pages were visited and for how long; and which adverts were viewed. Sometimes Google was also able to collect data on the approximate geographical location of the user. This data is referred to as 'browser-generated information'.
"Google aggregated this data into audience segments and labelled it eg. 'football lovers'. Google’s DoubleClick service then offered these audience segments to subscribing advertisers, allowing them to choose the type of people to whom they wanted to direct their advertisements."
The four legal experts added: "Having to prove specific damage for each individual in a class has acted as a very effective deterrent to group litigation. This decision, which allows damages to be awarded without proving pecuniary loss or distress, removes another barrier to class actions.
"That said, another key question remains open which is what the quantum of damage should be in this scenario. Similarly, case law assessing damages in data protection claims for distress are few and far between so some uncertainty remains for claimant lawyers and their backers.
"What is abundantly clear is that Lloyd’s substantive claim (which can now progress) has the potential to significantly increase exposure for organisations following a data breach or other breach of the European GDPR."
Contacted for comment, Lloyd said: "[The] judgment sends a very clear message to Google and other large tech companies: you are not above the law. Google can be held to account in this country for misusing peoples' personal data, and groups of consumers can together ask the courts for redress when firms profit unlawfully from 'repeated and widespread' violations of our data protection rights. We will take this fight against Google all the way."
James Oldnall, lead lawyer on the case and partner at Mishcon de Reya, said: "Today's decision is significant not only for the millions of consumers affected by Google's activity but also for the collective action landscape more broadly. The Court of Appeal has confirmed our view that representative actions are essential for holding corporate giants to account."
A Google spokesperson sent the following response on Tuesday: "Protecting the privacy and security of our users has always been our number one priority. This case relates to events that took place nearly a decade ago and that we addressed at the time. We believe it has no merit and should be dismissed."