Shook Partner Sarah Croft and Associates Kate Paine and Marisa Pearce have written a Financier Worldwide article on a Court of Appeal of England and Wales decision reviving data privacy claims against Google. The plaintiff in Lloyd v. Google alleged that Google bypassed default privacy settings to install cookies on users' phones without the users' knowledge or consent, allowing the company to gather "browser generated information" in violation of the U.K. Data Protection Act 1998 (DPA). The authors detail the case's initial dismissal and the appeals court's reversal.
"Though commonplace in the US, class action litigation has remained relatively rare in England and Wales," Paine, Pearce and Croft explain. However, privacy laws such as the DPA and the General Data Privacy Regulation (GDPR) have resulted in data breaches carrying serious consequences, changing the litigation landscape.
"The finding will be of interest beyond England’s borders because in reaching its ‘damage’ conclusion, the Court of Appeal referred to the GDPR, specifically Article 82.1, affording the right to compensation to persons who have suffered either material or non-material damage as a result of a GDPR infringement, and Recital 85, in which ‘loss of control’ over personal data is provided as an example of the 'physical, material or non-material damage' that a data breach may cause," the authors note. "For these reasons, this groundbreaking decision is certainly a matter of concern for companies, and the outcome of an appeal, if allowed, will be keenly awaited by all data privacy practitioners."