Richard Lloyd v Google LLC
| Jurisdiction | England & Wales |
| Judge | Mr Justice Warby |
| Judgment Date | 08 October 2018 |
| Neutral Citation | [2018] EWHC 2599 (QB) |
| Court | Queen's Bench Division |
| Docket Number | Case No: HQ17M01913 |
| Date | 08 October 2018 |
[2018] EWHC 2599 (QB)
Mr Justice Warby
Case No: HQ17M01913
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
MEDIA AND COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Hugh Tomlinson QC, Oliver Campbell QC and Victoria Wakefield (instructed by Mishcon de Reya LLP) for the Claimant
Antony White QC and Edward Craven (instructed by Pinsent Masons LLP) for the Defendant
Hearing dates: 21–23 May 2018
Judgment Approved
Introduction
The claimant, Richard Lloyd, applies for permission to serve the proceedings in this action on Google LLC (“Google”). Permission is needed because Google is a Delaware corporation with its principal place of business outside the jurisdiction — in Mountain View, California — and it has not agreed to accept service of the proceedings.
The claim alleges breach of the duty imposed by s 4(4) of the Data Protection Act 1998 (“ DPA”). The allegation is that over some months in 2011–2012 Google acted in breach of that duty by secretly tracking the internet activity of Apple iPhone users, collating and using the information it obtained by doing so, and then selling the accumulated data. The method by which Google was able to do this is generally referred to as “the Safari Workaround”.
Mr Lloyd is the only named claimant. However, he sues not only on his own behalf, but also in a representative capacity on behalf of a class of other residents of England and Wales who are also said to have been affected by the Safari Workaround in this jurisdiction (“the Class”). The claim is for damages or, in the language of the DPA, “compensation”. No other remedy is sought. No financial loss or distress is alleged. The claim is for an equal, standard, “tariff” award for each member of the Class, to reflect the infringement of the right, the commission of the wrong, and loss of control over personal data. Alternatively, each Class member is said to be entitled to damages reflecting the value of the use to which the data were wrongfully put by Google. It is said that on either basis of recovery more than nominal damages are recoverable by each claimant. No specific figure is put on the tariff, though ranges are mooted, and a figure of £750 was advanced in the letter of claim.
On either basis of recovery, the total damages payable by the Defendant would be calculated by multiplying the fixed sum awarded in respect of each Class member by the number of individuals within the class. The Class is a large one. Estimates of its scale have varied. The claimant's best estimate at one stage was that it comprised as many as 5.4 million people. The estimate has reduced as the Class has been re-defined and refined. But it is still a substantial seven figure number, 4.4 million in the reply evidence. Google's estimate of the potential liability, if some of the claimant's per capita figures for damages were accepted, is between £1 and 3 billion.
There is no dispute that it is arguable that Google's alleged role in the collection, collation, and use of data obtained via the Safari Workaround was wrongful, and a breach of duty. The main issues raised by the application are:
(1) whether the pleaded facts disclose any basis for claiming compensation under the DPA;
(2) if so, whether the Court should or would permit the claim to continue as a representative action.
The Safari Workaround and the DoubleClick Cookie
The relevant events took place between 1 June 2011 and 15 February 2012 (“the Relevant Period”). The evidence before me sets out in some detail the technical background to the claims, but it is unnecessary for present purposes to do more than summarise the position as set out by the claimant.
The case concerns the acquisition and use of browser generated information or “BGI”. This is information about an individual's internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user's device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting (“Third Party Cookies”). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user's browsing history (“Interest Based Adverts”).
Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google's Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user's knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking and collating of BGI enabled Google to obtain or deduce information relating not only to users' internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
Further, it is said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as “football lovers”, or “current affairs enthusiasts”. Google's DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose when selecting the type of people that they wanted to direct their advertisements to.
Previous action over the Workaround
None of this is news. Google's activities in relation to the Safari Workaround were discovered by a PhD researcher, Jonathan Mayer, as long ago as 2012, and publicised in blog posts and, on 17 February 2012, in the Wall Street Journal. Regulatory action was then taken against Google in the USA. In August 2012 the company agreed to pay a US$22.5 million civil penalty to settle charges brought by the United States Federal Trade Commission (“FTC”) that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. On 11 November 2013 it agreed to pay US$17 million to settle US state consumer-based actions brought against it by attorneys general representing 37 US states and the District of Columbia. In addition, the Defendant was required to give a number of undertakings governing its future conduct in its dealings with users in the USA.
In this jurisdiction, these matters would fall under the regulatory jurisdiction of the Information Commissioner, but it appears that there has been no regulatory action taken here. The Safari Workaround has however been the subject of high profile civil litigation against Google in this jurisdiction. In June 2013, Judith Vidal-Hall and two others issued claims against Google claiming damages on the basis that by obtaining and using information about their internet usage via the Safari Workaround the company had misused their private information and/or committed a breach of confidence and breach of the DPA and caused them distress and anxiety.
Permission to serve outside the jurisdiction was granted. The case then came before Tugendhat J. By a judgment delivered in January 2014 he set aside service of the proceedings in relation to breach of confidence, but declined to do so in relation to the claims in misuse and under the DPA: Vidal-Hall v Google Inc [2014] EWHC 13 (QB) [2014] 1 WLR 4155. An appeal by Google was dismissed by the Court of Appeal on 27 March 2015: Vidal-Hall v Google Inc (Information Commissioner intervening) [2015] EWCA Civ 311 [2016] QB 1003. The Supreme Court granted permission to appeal on one issue, but the claim settled before the appeal to the Supreme Court or any trial took place.
The nature and basis of the claims in Vidal-Hall were described by Tugendhat J at [22–25]. They were for compensation for distress suffered by...
To continue reading
Request your trial
-
Ghanem Al-Masarir v Kingdom of Saudi Arabia
...effective acts occurred in London. 131 To similar effect are Vidal-Hall v Google Inc [2014] 1 WLR 4155, [78], and Lloyd v Google LLC [2019] 1 WLR 1265, [47], both of which concerned alleged secret transnational tracking of internet users by Google in breach of data protection legislation.......
-
Lloyd v Google LLC
...High Court Warby J decided both issues in Google's favour and therefore refused permission to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265. The Court of Appeal reversed that decision, for reasons given in a judgment of the Chancellor, Sir Geoffrey Vos, wit......
-
SMO (a child represented by Anne Longfield as litigation friend) acting as a representative claimant pursuant to CPR 19.6 v TikTok Inc.
...on 8 October 2018, Warby J decided both issues in Google's favour and therefore refused permission to serve the proceedings on Google: [2019] 1 WLR 1265. The judge held that, even if the legal foundation for the claim made in the action were sound, he should exercise the discretion conferr......
-
Dr Robin Rudd v John Bridle
...other damage, and show a causal link between that damage and one or more of the contraventions he has established: Lloyd v Google LLC [2018] EWHC 2599 (QB) [56]. Relevant procedural history 23 It is necessary to examine this in a little detail. In parts, it is something of a cautionary tal......
-
Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling
...[2] Section 13, Data Protection Act 1998 (DPA 1998). [3] High Court’s judgement in Lloyd v Google LLC [2018], EWHC 2599 (QB) (October 8, 2018), available at https://www.judiciary.uk/wp-content/uploads/2018/10/lloyd-v-google-judgment.pdf. [4] Court of Appeal’s judgement in Lloyd v Google LLC......
-
Google LLC v Lloyd – Major Representative Action Denied
...power on more distressing or egregious breaches and where there is something actually worth fighting about. [1] Lloyd v Google LLC [2018] EWHC 2599 (QB) [2] Lloyd v Google LLC [2019] EWCA Civ 1599...
-
UK Data Protection: Class action clouds gather over employers as Morrisons loses appeal
...financial harm. In the UK, data controllers have found some comfort in the recent High Court ruling in Richard Lloyd v Google LLC [2018] EWHC 2599 (QB) insofar as the judge in that case was not prepared to accept that breach of statutory duty or commission of the tort of misuse of private i......
-
UK Data Protection: Class Action Clouds Gather Over Employers As Morrisons Loses Appeal
...financial harm. In the UK, data controllers have found some comfort in the recent High Court ruling in Richard Lloyd v Google LLC [2018] EWHC 2599 (QB) insofar as the judge in that case was not prepared to accept that breach of statutory duty or commission of the tort of misuse of private i......