The UK Court of Appeal has unanimously overturned a block on a class-action style lawsuit brought on behalf of four million iPhone users against Google — meaning the case can now proceed to be heard.

The High Court tossed the suit a year ago on legal grounds. However the claimants sought permission to appeal — and today that’s been granted.

The case pertains to allegations Google used tracking cookies to override iPhone users’ privacy settings in Apple’s Safari browser between 2011 and 2012. Specifically that Google developed a workaround for browser settings that allowed it to set its DoubleClick Ad cookie without iPhone users’ knowledge or consent.

In 2012 the tech giant settled with the FTC over the same issue — agreeing to pay $22.5M to resolve the charge that it bypassed Safari’s privacy settings to serve targeted ads to consumers. Although Google’s settlement with the FTC did not include an admission of any legal wrongdoing.

Several class action lawsuits were also filed in the US and later consolidated. And in 2016 Google agreed to settle those by paying $5.5M to educational institutions or non-profits that campaign to raise public awareness of online security and privacy. Though terms of the settlement remain under legal challenge.

UK law does not have a direct equivalent to a US style class action. But in 2017 a veteran consumer rights campaigner, Richard Lloyd, filed a collective lawsuit over the Safari workaround, seeking to represent millions of UK iPhone users whose browser settings his complaint alleges were ignored by Google’s tracking technologies.

The decision a High Court judge last year to block the action boiled down to the judge not being convinced claimants could demonstrate a basis for bringing a compensation claim. Historically there’s been a high legal bar for that as UK law has required that claimants are able to demonstrate they suffered damage as a result of data protection violation.

The High Court judge was also not persuaded the complaint met the requirements for a representative action.

However the Appeals Court has taken a different view.

The three legal questions it considered were whether a claimant could recover damages for loss of control of their data under section 13 of the UK’s Data Protection Act 1998 “without proving pecuniary loss or distress”; whether the members of the class had the same interest as one another and were identifiable; and whether the judge ought to have exercised discretion to allow the case to proceed.

The court rejected Google’s main argument that UK and EU law require “proof of causation and consequential damage”.

It also took the view that the claim can stand as a representative procedure.

In concluding the judgment, the chancellor of the High Court writes:

… the judge ought to have held: (a) that a claimant can recover damages for loss of control of their data under section 13 of DPA, without proving pecuniary loss or distress, and (b) that the members of the class that Mr Lloyd seeks to represent did have the same interest under CPR Part 19.6(1) and were identifiable. The judge exercised his discretion as to whether the action should proceed as a representative action on the wrong basis and this court can exercise it afresh. If the other members of the court agree, I would exercise our discretion so as to allow the action to proceed. I would, therefore, allow the appeal, and make an order granting Mr Lloyd permission to serve the proceedings on Google outside the jurisdiction of the court.

Mishcon de Reya, the law firm representing Lloyd, has described the decision as “groundbreaking” — saying it could establish “a new procedural framework for the conduct of mass data breach claims” under UK civil procedure rules governing group litigations.

In a statement, partner and case lead, James Oldnall, said: “This decision is significant not only for the millions of consumers affected by Google’s activity but also for the collective action landscape more broadly. The Court of Appeal has confirmed our view that representative actions are essential for holding corporate giants to account. In doing so it has established an avenue to redress for consumers.”

Mishcon de Reya argues that the decision has confirmed a number of key legal principles around UK data protection law and representative actions, including that:

An individual’s personal data has an economic value and loss of control of that data is a violation of their right to privacy which can, in principle, constitute damage under s.13 of the DPA, without the need to demonstrate pecuniary loss or distress. The Court, can therefore, award a uniform per capita sum to members of the class in representative actions for the loss of control of their personal data

That individuals who have lost control of their personal data have suffered the same loss and therefore share the “same interest” under CPR 19.6

That representative actions are, in practice, the only way that claims such as this can be pursued

Responding to the judgement, a Google spokesperson told us: “Protecting the privacy and security of our users has always been our number one priority. This case relates to events that took place nearly a decade ago and that we addressed at the time. We believe it has no merit and should be dismissed.”