Blog Lloyd vs google 1

Lloyd vs Google: Why it matters to your business

May 11th, 2021 Posted in Data Protection

Last week, the Supreme Court held a long-anticipated two-day hearing on the case of Lloyd vs Google. The Court’s decision could have extensive implications for data protection practices and litigation in the United Kingdom (“UK”).

As we eagerly await the decision from the Court, here is an overview of the case so far and what it means for UK businesses.


In 2017, former Which? director, Richard Lloyd, brought a representative claim against Google under Rule 19.6 of the Civil Procedure Rules. The lawsuit states that Google illegally gathered the personal data of millions of iPhone users between 2011 – 2012 and used it for targeted advertising.

It did this, the claim states, by harvesting personal information – including people’s race, age, sexuality and more – through the Apple web browser: Safari. The company then sold this data to third-party advertisers.

Lloyd alleges that Google breached its responsibilities as a data controller under section 4 of the Data Protection Act 1998 (“DPA”). He claims that the company used an illegal workaround to collect individuals’ data – potentially even in instances where third-party cookies were blocked:

“We believe that Google took millions of iPhone users’ personal information illegally in 2011 and 2012. Google did this by bypassing the default privacy settings on the iPhone’s Safari browser. This has been called “the Safari Workaround”. The workaround tracked internet browsing history, which Google then used to sell a targeted advertising service.” – Google You Owe Us, Lloyd’s advocacy group

Timeline of events

  • July 2017: Google is formally notified of the claim
  • October 2018: The High Court blocks the case from going any further, on the basis that there is no proof that those impacted have suffered any damage as a result of the data sharing, which is required under section 13 of the DPA. The judge also rules that it is difficult to see how the millions of people impacted share the “same interest” requirement for Representative Action under CPR 19.6.
  • September 2019: Lloyd takes the High Court’s decision to the Court of Appeal, and they overturn the ruling. The Court states that damages can be awarded for a loss of control of data under section 13 of the DPA, even if no pecuniary loss has been caused. They also rule that the class members do indeed share the same interest. This means the claim can proceed as a representative action case.
  • March 2020: The Supreme Court grants Google permission to appeal against the Court of Appeal’s decision. Google argues data protection claims need to show proof of damage as its rebuttal.
  • April 2021: The appeal is heard in the Supreme Court.

What makes this case unique?

This case is what’s known as an “opt-out” class action suit, which means that a claim is brought forward by one individual or company, on behalf of all those impacted. If the claimant is successful in court, then the compensation will be available to all those potentially involved – unless they choose to opt out.

While these kinds of claims are commonplace in the United States (“US”), they are rare in the UK. Instead, we have what’s typically known as Group Litigation Orders (“GLO”). However, GLO litigation is not a straightforward process.

Typically, the court expects each individual involved in a claim to actively “opt-in”, rather than be included in the claim by default. Furthermore, the court requires that the claimant proves the damage to each individual involved in the case. In data privacy incidents like this, where millions are impacted and the definition of ‘damage’ is murky, this is near impossible.

Therefore, the decision from the Court of Appeals to allow Lloyd’s claim to proceed – on the basis that a loss of data is damage and the group shared the same interest – is a huge divergence from traditional practice.

Decoding the controversy

Supporters of this case see the decision as a ground-breaking move for data protection and privacy. During April’s hearing, the ICO itself weighed in. Its barrister, Gerry Facenna QC, stressed the importance of control over one’s data as a fundamental right. He emphasized the need for society to implement adequate data protection and expressed the ICO’s view that a loss of control over data is a form of harm/damage.

However, the litigation has also been met with criticism. For one, the integrity of Lloyd’s case has been questioned because the litigation is funded by Therium Capital Management. Data protection specialist Tim Turner has described the case as being less like David v Goliath and more like Goliath v Goliath because it is funded by Therium and is about monetising a claim for profit rather than data protection and ethics.

Furthermore, the Confederation of British Industry (“CBI”) has argued against the introduction of opt-out class action provisions, stating that they are “a radical departure from UK precedent that would likely lead to a rapid and costly acceleration in claims, including meritless ones.”

The CBI feels that current data protection complaint practices within the UK framework – such as going to the Information Commissioner’s Office (“ICO”), directly complaining to a company, and opt-in, collective action proceedings – are more than satisfactory.

A landmark decision is pending

Following the two-day hearing, the Supreme Court is now deliberating the Court of Appeal’s ruling, which granted Lloyd to serve his representative claim against Google. The Court’s decision will have widespread ramifications for data protection claims across the UK, including:

  • Whether ‘loss of control’ of data constitutes damages under the DPA.
  • Whether these ‘damages’ are grounds for a representative action case, on the basis the group shares the same ‘same interest’
  • Whether Lloyd has the right to act as a representative for the group, and claim on their behalf.

If the Supreme Court rules in favour of Lloyd, we could see class action litigations arise much more frequently, underpinned by this new type of damages: loss of personal control of data. For example, if an organisation uses cookies incorrectly, this could lead to all its website visitors having grounds for a claim. Similarly, data sharing practices will have to become much more stringent, transparent and proactive in obtaining consent.

Saying this, it’s worth remembering that moving forward with a class-action suit is not simple or easy. The process is costly and involves a lot of coordination from the claimant and their law firm. This means that, if the Court permits Lloyd to proceed, it’s unlikely we will see the proverbial floodgates open all at once for opt-out style class actions.

Steps to take

While this may be one of the first cases of its kind in the UK, it certainly won’t be the last. Both consumers’ and businesses’ digital footprints are expanding. The amount of data shared and processed is huge and growing each day. If a company is found to be using this data unlawfully or negligently, there is a risk of legal repercussions.

Even as we await the verdict from the Supreme Court, this lawsuit is a significant reminder that businesses large and small should take proactive steps to be transparent and fair when processing personal data and to identify and manage risks to data subjects.

To keep up to date with the latest on the case, be sure to check our blog regularly.

Need help?

If you need assistance with data protection compliance, we can help. Evalian is a specialist data protection services provider, working with organisations of all sizes. Please contact us for more information.

Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.