The U.K.’s Supreme Court has rejected a claim that sought billions of pounds in damages from Google over alleged illegal tracking of millions of iPhones.
The case was brought by consumer rights activist Richard Lloyd, who alleged Google breached its data protection obligations under the Data Protection Act 1998—the U.K. legislation in place before the General Data Protection Regulation (GDPR)—by using the browser-generated information of more than four million Apple iPhone users during 2011 and 2012.
Lloyd brought the case as a representative action on behalf of all affected iPhone users, arguing that, collectively, they had the same interest. He suggested compensation should range up to £750 (U.S. $1,004) per affected user.
However, the Supreme Court disagreed. In a unanimous decision Wednesday, the court said it was necessary to establish what, if any, unlawful use Google had made of each user’s personal data and what damage was suffered by the user as a result.
The court said, in future, there would need to be individual assessments of each user to establish what (if any) damages they should get. It also ruled out the possibility damages could be awarded for a breach of the 1998 legislation if the individual did not suffer any material loss or distress.
Google said, “This claim was related to events that took place a decade ago and that we addressed at the time.”
Legal experts are divided by the ruling, saying it could have potentially serious implications for all collective actions in future—not just those relating to data breaches or data misuse.
Richard Forrest, legal director at law firm Hayes Connor Solicitors, said, “This feels like a missed opportunity to send a powerful message to the Big Tech companies that it’s our data they are handling, not theirs.”
Emily Cox, head of media disputes at Stewarts Law, said, “The decision ensures the floodgates remain firmly closed to data privacy class actions in England and Wales, much to the relief of Big Tech. It also leaves consumers without a viable route to compensation for breaches of their privacy rights by large corporations, and so limits access to justice.”
She added, “This is a worrying decision for England and Wales as a legal center post-Brexit, putting us at odds with Scotland and the European Union, which have started to fully embrace collective redress in the way the United States, Canada, and Australia have done for some time.”
Patricia Jones, a data protection lawyer at law firm Pannone Corporate, said the ruling “will make it more difficult for people to seek compensation for a data protection breach when they have suffered no material loss or distress.”
However, she added despite the judgment going in favor of Google, “It should act as a strong reminder to businesses—both large and small—about the importance of complying with data protection legislation when collecting and using customer data. If businesses get it wrong, they could potentially face sanction from the Information Commissioner’s Office, as well as compensation claims.”