Source - Privacy and Data Security Alert | November 2019

EU Court Allows Class Action to Proceed, Sets Precedent for Future Data Breach Class Actions

A class action brought against Google will be allowed to move forward after the plaintiff’s appeal was permitted, allowing him to continue his claim under section 13 of the Data Protection Act of 1998. The case stems from a workaround that enabled Google to place certain cookies on a user’s device without the user’s knowledge, allowing the company to secretly track users and collect “browser generated information.” The High Court of Justice held that potential members of the plaintiff’s proposed class did not have the “same interest” to “justify allowing the claim to proceed as a representative [class] action.” However, the Court of Appeal held that the browser generated information is “something of value” that was “taken by Google without [users’] consent during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant.” As such, the Court of Appeal held that the High Court abused its discretion in refusing to allow the case to proceed, and the lawsuit can continue.

On the heels of the Lloyd decision, the first data breach class action has been filed against Equifax in the U.K.’s High Court. The lawsuit seeks £100 million ($129.6 million) in damages for the approximately 15 million U.K. customers affected by the 2017 Equifax data breach. In September 2018, the U.K.’s Information Commissioner’s Office found that Equifax failed to implement certain safeguards and procedural protections of customers’ personal information and issued a fine.


This key decision may serve as a basis for allowing data-breach-related class actions to gain traction in the EU, where data breach class actions have historically been unable to gain momentum.

Read more in the full November issue of the Privacy and Data Security Client Alert.