The Supreme Court has blocked a mass legal action against Google over claims that it secretly tracked millions of iPhone users’ web browsing activity while telling them that it did not.
The court has unanimously allowed Google‘s appeal against the Court of Appeal’s 2019 judgement.
The representative action on behalf of over four million people in England and Wales – which could have resulted in iPhone users receiving up to £750 each in compensation – cannot now go ahead.
It was over claims the company collected users’ data between 2011 and 2012 – as part of an “unusual” and potentially groundbreaking representative action.
Consumer rights champion Richard Lloyd brought the claim similar to class-action style lawsuits in the US.
The Supreme Court ruled that the class action claim could not succeed as Mr Lloyd could not prove that all of the individuals he was representing “suffered any material damage or distress” as a result of the breach, and thus could not all be represented as having suffered the same harm.
A judgment in Mr Lloyd’s favour was poised to open the doors to more representative actions in Britain in other data protection cases, allowing consumer rights defenders to bring class-action style claims against companies that are accused of breaching privacy law.
Mr Lloyd said he was “bitterly disappointed that the Supreme Court has failed to do enough to protect the public from Google and other Big Tech firms who break the law”.
“They have overturned a very clear ruling by senior, expert judges in the Court of Appeal.
“Although the Court once again recognised that our action is the only practical way that millions of British people can get access to fair redress, they’ve slammed the door shut on this case by ruling that everyone affected must go to court individually.
“If there are few consequences for abusing our personal data then there is little incentive for companies like Google to protect consumers.
“The government must now step in to make the system clearer and stronger by bringing in the right for groups of consumers to take action together under the Data Protection Act. The responsibility to protect our privacy, data rights and collective action is squarely back with the government,” he added.
Lloyd’s solicitor, and managing partner at the law firm Milberg, James Oldnall commented: “The ruling today gives Google and rest of Big Tech the green light to continue misusing our data without consent, knowing they will go unpunished. It is a dark day when corporate greed is valued over our right to privacy.”
A spokesperson for Google said: “This claim was related to events that took place a decade ago and that we addressed at the time.
“People want to know that they are safe and secure online, which is why for years we’ve focused on building products and infrastructure that respect and protect people’s privacy,” they added.
Google claimed that it was prevented from collecting data from iPhone, iPad, and Mac users by the Safari browser’s default privacy settings, but this was discovered to be a misrepresentation.
The workaround was discovered by Jonathan Mayer, then a graduate researcher at Stanford University. At the time, Google said that the data collection was accidental and it did not mean for the feature to bypass the Safari browser’s default security settings.
The company subsequently settled with the US Federal Trade Commission over the breach, paying a then record civil penalty of $22.5m in August 2012.
The company also paid $17m to dozens of states in the US admitting that it had collected this data for the purposes of advertising while informing users that it wouldn’t, though it did so in a settlement which did not accept any liability.
The judgment in London came as Google lost in Luxembourg, where the European Court of Justice dismissed its appeal against a then record €2.4bn (£2.2bn) fine imposed by the European Commission for favouring its own online shopping service ahead of rivals.
Following the judgment, Harriet Ellis, dispute resolution partner at law firm Linklaters, said: “The decision will be a big blow to claimant law firms and funders who had hoped to create a new opt out regime for damages in the data breach sphere. We would expect a lot of similar claims issued in its wake now to fall away.
“Claimant firms will be studying the decision carefully to see if there any viable opt-out class actions that can still be brought. But it looks really tough,” Ms Ellis added.