Ex-Which? bod's £3bn Safari sueball has second shot at Google over UK data laws
It's the Safari Workaround – and there's no working around it this time
Updated The man who tried and failed to run a not-a-data-protection-class-action-honest-guv lawsuit against Google in England's High Court is having another crack at it in the Court of Appeal.
Richard Lloyd, a one-time director of consumer rights org Which?, is appealing against the High Court's judgment from last year which halted his multi-billion pound case against Google before it got out of the starting blocks.
In the appeal, which is being heard this week, Lloyd's barrister, Hugh Tomlinson QC, hopes to convince three senior judges that the High Court was wrong to rule that the 4.4 million people Lloyd claims to represent hadn't suffered "damage" from Google as defined in law.
"The claimant's case, put shortly, is that a combination of data protection law and the long established representative action procedure can provide an effective remedy for mass breaches of data protection rights where, in practice, as the judge recognised, neither individual claims nor a group litigation order are practically viable," Tomlinson told the Court of Appeal this morning.
The case (full history below) revolves around the old Safari Workaround dodge by Google. Lloyd claims that Google owes 4.4 million iPhone-using Brits a few hundred pounds each in damages for unlawfully snooping on their browsing habits, contrary to the Data Protection Act 1998. He has put himself forward as the "representative claimant" in what is almost, but not quite, a class action lawsuit.*
Among other things, he claims "all individuals who, at any date between 1 June 2011 and 15 February 2012... owned or were in lawful possession of an iPhone and used the Apple Safari internet browser on that iPhone to access the internet" were affected by Google's alleged lawbreaking.
Three judges will decide the appeal: the president of the Queen's Bench Division of the High Court, Dame Victoria Sharp (boss of Mr Justice Warby, the judge who made the original ruling); the Chancellor of the High Court, Sir Geoffrey Vos; and Lord Justice Davis.
Vos observed in court this morning: "It does seem to me, Mr Tomlinson, that you are eliding the infringement that led to damages and the damages themselves. I fully understand the difference between loss and damage but I don't see how you can reason from saying 'There's a bad breach', which some say they had cared about, and some who had suffered loss."
Opposing Tomlinson are his Matrix Chambers stablemates Antony White QC and Edward Craven. Supporting him are Oliver Campbell QC and Victoria Wakefield.
Where did all this start?
Around a decade ago crafty people at Google figured out a way of getting Google Doubleclick ad-tracking cookies onto the devices of Safari-using iPhone customers, defying Apple privacy controls, using a method called the Safari Workaround. That workaround tricked the browser into accepting a cookie on the false basis that a form submission was being made to Google every time it loaded a Google ad, as we reported in 2012 when the ruse came to light.
Google stumped up about four hours' worth of its 2012 revenues – $25m – to an American regulator as penance, and flung a further $17m at another bunch of aggrieved USians to make them shut up and go away.
Nonetheless, British privacy activist Judith Vidal-Hall sicced lawyers onto Google and the High Court ruled in 2014 that the Chocolate Factory could be sued in the UK, following desperate attempts by the adtech giant to claim it wasn't subject to UK law. Had it won, the case would have been thrown out. A year later the Court of Appeal stomped on Google's attempt to get that preliminary ruling overturned. Critically, Vidal-Hall and Google settled before the jurisdiction issue was decided by the Supreme Court, so the actual issue of whether Google had broken the Data Protection Act 1998 was never tried.
Along came Lloyd in 2018, and with him Therium Litigation Funding IC, "an investment vehicle associated with and advised by Therium Capital Management Limited". As well as paying Lloyd a salary of £50k "for up to four years" to act as public frontman for the lawsuit, Therium is potentially entitled to take up to half of the entire damages payout it hopes to squeeze from Google: up to £1.5bn, if the lawyers' sums are right. ®
* No such thing as a class action in the UK. This is a "representative action", as opposed to a group litigation order, and you can read an explanation of those terms here. Coffee may be required.
** Readers may recall that White and Tomlinson played much the same courtroom roles in the cases of pseudonymous businessmen NT1 and NT2 v Google, the Right To Be Forgotten trials. As in the present case, Tomlinson represented the claimants and White defended Google.
Updated to add
Richard Lloyd, the representative claimant, said: "Google's business model is based on using personal data to target adverts to consumers – making hundreds of billions in the process. Using personal data without consent is illegal.
"Despite the High Court acknowledging that millions of people did not give Google permission to use their data in this case, its decision blocked iPhone users' route to redress. This effectively slammed the door shut on holding Google to account.
"The overstretched data protection regulator has refused to stand up for consumers in this case. When the regulators fail to properly protect us against being ripped off by giant tech companies in this way, we have no alternative but to take action ourselves.
"The appeal today is significant not only for those affected by this case, but for consumers in the UK in the future who should be provided with effective legal mechanisms to hold the world's largest companies to account for mishandling our data."