UK Supreme Court denies privacy class action against Google
November 15, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
The UK Supreme Court held that a class action lawsuit alleging unlawful data collection for ad targeting in 2011 and 2012 could not be served against Google on the basis that the lawsuit failed to allege sufficient proof of individual financial damage or distress or unlawful basis on an individual basis. The action alleged that Google collected iPhone user data for ad targeting without proper notice or consent in violation of the Data Protection Act (a predecessor to the UK GDPR). The lawsuit sought damages of £750 per person, or approximately £3 billion total.
WHY IT MATTERS
Although the lawsuit alleged violations of the UK Data Protection Act, which was replaced by the UK GDPR and is no longer in effect, the UK Supreme Court’s ruling may have general implications for class action lawsuits in the UK. Parliament has not enacted legislation providing for class actions, except in the field of competition law. However, the case against Google was brought based on a longstanding Civil Procedure Rule that allows a claim to be brought by representatives of others who have the same interest in the claim.
The UK Supreme Court held that, although this action could have been brought as a representative action, to establish whether Google was in breach of the DPA as a basis for pursuing individual claims, it could not be brought seeking a uniform sum of damages to be awarded to each class member because, in this case, the DPA requires that an individual suffer damage, and the court interpreted damage to mean material damage or mental distress, which would require proof of such damage and unlawful processing of personal data on an individual basis. That ruling was very specific to the DPA, however, which means that a different outcome may arise from class action claims under laws that don’t require proof of individual damage.
The European Commission sent an opinion to Belgium for failing to ensure full independence of its Data Protection Authority in violation of the GDPR, citing that some members of the Belgian DPA either report to a management committee depending on the Belgium government, have taken part in governmental projects, or are members of the Belgium Information Security Committee. The GDPR requires that a Member’s DPA be free from any external influence or incompatible occupation. The Commission has given Belgium two months to take relevant action, after which it may decide to refer the case to the Court of Justice of the European Union.
WHY IT MATTERS
We learned earlier this month that the Belgian DPA will be soon issuing a draft ruling against IAB Europe in connection with its TCF Framework for the digital advertising industry. It’s unclear how or whether this development may impact the makeup or mentality of the Belgian DPA and resulting decision-making.
Israel’s Ministerial Committee on Legislation approved a proposal to promote amendments to the country’s Privacy Protection Law. The amendments, among other things, expand the administrative enforcement of the Privacy Protection Authority, including the authority to impose financial sanctions.
WHY IT MATTERS
Israel’s Privacy Protection Law includes some similarities to the EU’s GDPR, including a requirement to obtain informed consent to collect personal data from data subjects. The existing law does allow for certain administrative fines, but the amendments would reportedly expand such authority, presumably giving covered businesses more incentive to adopt practices compliant with the law.
Three industry developments were announced this week.
Meta (the parent company of Facebook) announced plans to remove “Detailed Targeting” options that relate to sensitive topics, starting January 19, 2022. This will prevent advertisers from targeting ads to a refined group of people based on causes, organizations or public figures that relate to health, race or ethnicity, political affiliation, religion or sexual orientation, a feature currently available through Facebook’s Detailed Targeting option.
You.com, a new “private” search engine, launched in public beta testing, promising no ad targeting, no data sales to advertisers, and a platform that puts “you in control”, giving the user an option between a personalized or private experience. The platform is currently ad free but says that it may have private ads in the future.
TransUnion and Audigent reportedly announced a partnership to offer a cookieless, addressable ad targeting solution based on Audigent’s consolidated publisher first-party data combined with TransUnion’s TruAudience data.
WHY IT MATTERS
As consumer and regulatory privacy demands heighten, we are seeing an increase in industry developments having a domino effect on one another, limiting or eliminating options, and creating new solutions in response to replace the old.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
A memorandum from the California Privacy Protection Agency (CPPA) staff proposes...
The ICO previously made an announcement on its website warning that...
Publisher Collective recognised the importance of collecting consent in...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.