Included in this edition of Data & Privacy News: Supreme Court makes landmark judgment in rejecting £3bn data class action against Google, calls for greater regulation of AI in the workplace and more

Supreme Court makes landmark judgement in rejecting £3bn data class action against Google

In the long-awaited decision of Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50, the Supreme Court has rejected the attempt to bring a class action against Google relating to the unauthorised tracking of iPhone users. The Court upheld Google's appeal against the decision of the Court of Appeal, and decided that the claim had no prospect of success. The decision has significant implications for group claims for breach of data protection legislation, and effectively shuts the door on the prospect of US-style class actions for data breaches.

We have produced a detailed analysis of the case, including its background, the decision and its implications. Susan Garrett, a Partner in Addleshaw Goddard's Dispute Resolution team, has also hosted a 30-minute Q&A on the case which is available to watch here.

High Court judgment for damages for de minimis data misuse

In the case of Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the High Court has provided clarity for controllers on the level of damage required for a claim to constitute a data breach or of misuse of private information. In the judgment, Master McCloud considered whether the nature of the breach, the nature of the information involved and the steps taken to mitigate the breach had led to actual loss being suffered or causing of distress above a de minimis level. The claimants claimed for damages for misuse of confidential information, breach of confidence, negligence, damages under s82 of the GDPR and s169 Data Protection Act 2018, plus a declaration and an injunction, interest and further or other relief.

The case centred around a single email with attachments, that was sent by the Defendants, who at the time represented a school to which the first two Claimants owed a sum of school fees. The email consisted of a letter and a copy of the statement of account for the first two Claimants' child (who is the third Claimant), however due to one letter difference in the email address of the mother, the letter was mistakenly sent to a person with an identical surname and the same first initial. The mistaken recipient promptly informed the Defendants that the email was not meant for them and then promptly deleted the email following a request from the Defendant.

In the judgment, Master McCloud concluded that the single data breach involving the admitted misuse of a limited amount of confidential information was not enough to be cause an individual to suffer distress or be sufficient to form the basis of a claim for damages for distress.

The time for appeal for this case was extended to 21 days after the handing down of the Supreme Court decision in Lloyd v Google.

Calls for greater regulation of AI in the workplace

The All-Party Parliamentary Group (APPG) on the Future of Work has published a final report from the APPG’s inquiry into use and regulation of AI in the workplace. The report argues the need for urgent Government regulation into the use of AI at work, concluding that the monitoring of employees and setting of performance targets through algorithms is damaging employees' mental health.

This report mirrors the calls of the trade union Prospect, who published a statement the week before calling for a range of measures to be implemented in order to protect employees for intrusive monitoring. Prospect expressed concerns that the monitoring was particularly affecting workers in sectors with higher levels of remote working, larger proportions of younger workers, and low levels of trade union membership, such as the tech sector. A survey commissioned by Prospect found that the number of workers being monitored at work has risen from 24% to 32% in the last six months, and that the use of camera monitoring in people’s homes has risen from 5% to 13% in the same time period.

DCMS publishes update on the new Information Commissioner

The Department for Digital, Culture, Media & Sport (DCMS) has published an update on the arrangements confirmed in advance of John Edwards, the incoming Information Commissioner, beginning his term in January.

The statement confirms that from the end of Elizabeth Denham’s term as the Information Commissioner on 30 November 2021, the ICO’s Deputy Chief Executive (Paul Arnold) will be designated as the ICO’s Accounting Officer until 2 January 2022. Mr Edward, who is the current New Zealand Privacy Commissioner, will then take up his position on 3 January 2022.

Google publishes blog post on removing images of children

Google has published a blog post, providing information to under 18s and their parent, guardians or other authorized representative, on how to remove their images from a Google Search. The new policy, launched in August 2021, allows requests for the removal of images for anyone under the age of 18, meaning it won't appear in the Images tab or as thumbnails in any feature in Google Search.

ICO and OAIC conclude joint investigation into Clearview AI Inc.

The Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) have published a statement, noting the conclusion of their joint investigation into Clearview AI Inc., which was launched in 2020.

The investigation into Clearview examined the company's personal information handling practices, relating to the use of data scraped from the internet and the use of biometrics for facial recognition. The Clearview facial recognition app allows users to upload a photo of an individual’s face and match it to photos of that person collected from the internet. The system reportedly included a database of more than three billion images that Clearview claims to have taken or ‘scraped’ from various social media platforms and other websites.

As the ICO and OAIC operate under their respective country's legislation, any outcomes are considered separately. The ICO is now considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws, whilst the OAIC has published its decision.