Landmark Internet Privacy Case: Google is Responsible to English Internet Users Under English Privacy and Data Protection Laws
Our laws in the United Kingdom are designed to protect individuals against the misuse of personal information, such protection being enshrined in the Data Protection Act 1998 and related legislation which in turn implements several European Directives.
Websites and online applications will often track user's information, using "cookies" – usually with a user's consent.
However, Google Inc. ("Google") has been accused of taking a more liberal interpretation of responsibilities under data protection and privacy laws. To date, where web advertisers collect and/or use such information without a user's consent, it has proved difficult for a user to enforce their rights under data protection laws because the servers are located overseas and operated by companies established overseas. A recent landmark decision in the English high courts, however, may change this and force web advertisers to behave more responsibly having regard to laws outside the web advertiser's own jurisdiction.
The British claimant's alleged misuse of personal information by Google:
In a recent test case against Google, Vidal –Hall v Google Inc., the High Court rejected Google's argument that the English Courts have no jurisdiction to hear the privacy claims brought against it by three British internet users.
The British claimants alleged that Google: (i) misused their private information; (ii) breached confidentiality; and (iii) infringed the data protection laws through the unlawful use of their personal data without their knowledge and consent, when they used Apples' 'Safari' web browser between 2011 and 2012. They claimed compensation for damage and distress suffered.
The case centres on the collection of information by Google from the devices used by claimants to access the internet and the subsequent use of that information to provide targeted advertisements. The claimants contended that as a result of Google's use of the information to display adverts, third parties whom they permitted to use their computers or view their screens had access to deeply personal information about their interests. As a result, they claimed to have suffered acute distress and anxiety. The nature of the personal information revealed through targeted advertising was not disclosed in court, to protect the claimants' privacy.
The case focused on Google's use of "third party cookies". A "third party cookie" is a cookie sent to a browser by a website other than the website that the browser is on, usually to gather information about websites visited by the user's browsers in order to target advertising.
In this case, the claimants used the Apple Safari internet browser. Google's AdSense service places "third party cookies" when the user visits certain websites displaying adverts from Google that are placed using AdSense. The claimants complained about Google's practice, which exploited a loophole in the Safari web browsers privacy settings. A first "intermediary cookie" would be legitimately placed when the user visits certain websites and requests content (through use of social features such as "like" buttons). However, once the intermediary cookie was placed, Safari then allowed further third party cookies to be sent if one cookie from that domain was already present on the browser (the "One In, All In Rule"). This happened without the users' further knowledge or consent. It was this final aspect of the Safari privacy settings that Google's "AdSense" service exploited.
Google challenged the jurisdiction of the English Courts to hear the claims:
The claimants were initially given leave by the English Courts to serve proceedings on Google. Google then challenged this and sought an order stating that the English Court did not have jurisdiction over the claims.
Google, which is registered in Delaware and has its principal place of business in California, argued that the issues at trial were likely to focus on Google's conduct and therefore the USA was the most appropriate jurisdiction, although it did not specify a particular state in which the case should be heard
The English High Court decided that England was the appropriate jurisdiction to hear the case:
Mr Justice Tugendhat made the following observations:
- The focus of the case is likely to be on the damage that each claimant has suffered. The damage occurred when their screens could be viewed in the UK.
- The claimants are resident in the UK; therefore to bring proceedings outside of the UK would be unduly 'burdensome'.
- The claim of misuse of private information and the claim in relation to unlawful processing of data protection legislation were both clearly arguable and were serious issues to be tried. The High Court rejected Google's claims that they should be set aside.
- The English courts were an appropriate forum for the claims. If an American court was to decide the complicated issues of English law raised by Google, it would be costly for all parties involved. As this is a developing area of law, it is more appropriate for these issues to be resolved in an English court with the usual right of appeal – not available in the USA.
On this basis, the High Court held that the claimants had clearly established there were serious issues to be tried and that England was the most appropriate jurisdiction for these to be heard.
Mr Justice Tugendhat also acknowledged that there was no general 'tort of invasion of privacy', although he identified a number of cases in which misuse of confidential information was referred to as a 'tort'. He concluded that there was a distinct 'tort of misuse of private information'.
What is the likely impact of this decision?
It remains to be seen whether the claim will be settled or whether the case regarding the alleged breaches will be heard before the English Courts. If the claims are successful, this may lead to more claims against Google in England as well as in European Union member states. What is clear is that the use of the "Safari workaround" during 2011 was a controversial practice. Mr. Justice Tugendhat pointed out that Google has faced considerable civil penalties ($2.5 million) in the USA resulting from the practice. Google has since ceased this practice
The wider effect of this case may be to encourage other non-EU internet service providers to consider their own compliance with data protection laws which are often stricter than the laws they may otherwise be more used to complying with.
In particular, the case sheds a further spotlight on the difficulties of regulating the use of "third party cookies" by internet service providers. These are an invaluable tool to web-advertisers, but equally there are difficulties in determining how users should be provided with information about the cookies and how their consent should be obtained. This case may serve to focus attention on the lucrative internet advertising business, so that the web-advertising industry and regulatory bodies decide on effective means of protecting users' privacy.
For further information on the issues raised in this article, please contact Associate Tom Torkar at firstname.lastname@example.org.