Lloyd vs Google: UK needs collective redress

In 2012, Google hacked the web browers of million of Apple users to store data on their devices and track their activities online. The egregious and deliberate nature of this breach was met with harsh criticism at the time, and saw a collective claim been raised in the UK to seek damages over Google illegal conduct. Google vs. Lloyd finally reached the UK Supreme Court, who ruled in favour of Google and effectively opened the floodgate for the online tracking industry to compromise with impunity the security of million of devices whose privacy features are restricting the ability to track users’ online without their consent. For instance, Facebook aversion over Apple new anti-tracking features is notorious, and it is not difficult to imagine how Google hack of the security of Apple devices will make a school case for them.

Many people may see today’s decision as a setback, or at least no progress, on data protecion enforcement. In particular, it is worrying that the Supreme Court held that “none of the requirements of the [Data Protection Act] is predicated on “control” over personal data by the data subject.” Consequently, they held that “loss of control” could not be awarded compensation in itself, but individuals who suffered a breach needed “to prove that the contravention has caused material damage or distress to the individual concerned.”

It is worth noticing that this is not the case anymore. The DPA 1998, which the ruling is based upon, was replaced by the UK GDPR and the DPA 2018, which are meant to give individuals’ control over how their personal data is used. The use of digital technologies and automation to take decisions over an increasing amount of life necessities means that having effective remedies over control of one’s personal data effectively determines whether we have any scrutiny over these processes. This also means that we cannot have human rights in the digital age without effective remedies over the loss of control of how our personal data is used. The retrospective analysis of the Supreme Court over this topic should not be applied to future cases, but taken as a view of the law in 2012.

Fortunately the GDPR included an option for collective complaints to be made by privacy organisations. The idea was that very difficult issues would not always come to light, or that it would be difficult for data subjects to show that they were affected by a particular incident.

The government committed to examining this mechanism, under 80(2) GDPR, but last year, the government rejected that approach, saying:

6.17. Finally, the government is mindful of developments in the Lloyd v Google case which is due to be heard in the Supreme Court, in early 2021. Although cases brought under the civil procedure rules are different from claims brought under Article 80(2) of the UK GDPR because they rely on an affected individual to act as the lead claimant when representing the interests of others, they demonstrate the potential for a form of representative action to succeed under the existing Rules. The government will continue to monitor developments in this area closely.

Taken at its word, the government should now commit to provide representative action through 80(2). UK GDPR says at 80 (2)

The Secretary of State may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge a complaint with the Commissioner and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

This would provide a powerful alternative to the mechanism envisaged in Lloyd vs Google. After all, nobody believes that Google acted lawfully: around 4 million people’s devices were unlawfully tampered with to track and profile them for advertising purposes.

We should also consider the difficulties we are facing getting the ICO to act, sometimes in cases of massive data breaches. The Adtech industry — of which this case is just one facet — is operating entirely unlawfully, according to the ICO. The ICO closed the complaint filed by Jim Killock and Michael Veale, without resolving this breach. What then, is the answer, if neither collective redress nor the ICO are providing redress?

While it may be hard to estimate individually and consistently what harm exists, the fact is that harm is done when people are profiled and manipulated. The law, also, is broken. We must therefore have a mechanism to address the problem.

Article 80(2) has many benefits. The greatest of these is that it relieves the ICO of much of the investigatory burden associated with complaints. For a complaint to be credible, the representative organisation must be able to show that a breach has occurred, and that it is sufficient for the ICO to want to deal with it. Trivial complaints will not reach a threshold of relevance sufficient for the ICO to feel it necessary to deal with such complaints. This means that the ICO is only obliged to deal with well formed and substantial complaints.

Such complaints, while they need to be resolved by the ICO, do not necessarily end up with fines; measures can include changes by the data processor, data deletion, and orders complelling changes to data practices.

In short, it is time to come back to Article 80(2) and ensure that there is protection in place, given that complaints based on adhoc financial models are understandably not finding favour with the courts.