Google Brought Down to Earth: Landmark Privacy Development

January 28, 2014

What is the landmark?

A group of claimants have won a case in the High Court to bring a claim against Google in England and Wales. Google sought to prevent the claimants issuing legal proceedings against Google in the UK, claiming that the USA was the more appropriate forum. It lost and has said it will be appealing the decision. The case is also of particular significance because it adds fuel to the fire fanned by litigants to argue there is a new or developing tort of ‘misuse of private information’. The existence of this tort makes it easier for claimants to bring claims for breaches of privacy, amongst other things, since there is no strict requirement for actual loss to have been suffered.

The case citation is Vidal-Hall and Others v Google Inc  [2014] EWHC 13 (QB) – for those of you who wish to memorise this reference since it is likely to be a landmark privacy ruling for a long time to come.

What is it about?

The claimants are claiming damages and injunctive relief in that Google:

·        misused their private information;

·        breached confidence, and

·        breached the Data Protection Act 1998, namely, the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

The claimants’ rights were infringed by Google tracking and gathering information relating to web browsing on the Apple Safari browser without consent or knowledge. In this context, the claimants explained that Apple promoted the sale of its devices and Safari browser on the basis that its default setting prevented such tracking (and the placing of third-party cookies which enable user profiling and behavioural targeting). It is alleged Google specifically coded applications, by means of its DoubleClick ad serving platform, so that it exploited certain exceptions in Safari; the exceptions in Safari had been designed to allow third-party cookies in two instances:

1.        ‘Form Submission Rule’ – submission of a form embedded in the original or first party page – this is often the case where a user completes payment information and is a common technical requirement to enable this functionality. 

2.        ‘The One in, All In Rule‘ – Safari only blocks third-party cookies from a new domain; once the browser has accepted and retained a cookie, any additional cookies from that domain will be accepted regardless of whether they are set as first or third-party cookies.

Google used Javascript to subvert these exceptions to its advantage and without the knowledge or consent of the user in order to set third-party DoubleClick cookies.

Breach of confidence or misuse of private information?

Tugendhat J in the High Court clarified that there is a material distinction to be made between breach of confidence and misuse of private information – the former is not a tort, citing Kitetechnology BV v Unicor GmbH. In contrast, Vestergaard Frandsen AIS v Bestnet Europe Ltd and Douglas v Hello! supports the view that the latter is a tort. And that, as a tort, actual loss need not necessarily be demonstrated. This provides potential litigants with a significantly larger stick to beat those who have allegedly infringed their privacy and use of their private information. In response to Google’s claim that the information collected was anonymous, Tugendhat J, responded:

I find this a surprising submission to be made on behalf of Google Inc. It would not collect and collate the information unless doing so enabled it to produce something of value. The value it produces is the facility for targeted advertising of which the Claimants complain, and which yields spectacular revenues for which Google Inc is famous‘.

Whilst this raises more complex issues as to big data and the extent to which aggregated data comprises personal data (and how this is regulated under the current data protection framework and the broader scope of the new draft Data Protection Regulation which regulates ‘profile data‘ and ‘pseudonyms‘), the over-arching principle is that organisations need to ensure that they obtain the requisite consent and provide transparency for users. Covert surveillance, profiling or targeting is viewed dimly by regulators and the courts alike. In addition, the effect breaches of privacy can have in eroding consumer trust can have catastrophic results. As News International recently found.

Shifting Tectonic Privacy Plates

Early in 2012, Google amalgamated its privacy policies for all its services. The Article 29 Working Party wrote to Google expressing its concerns about this amalgamation, in the absence of express consent. It then asked the French authority, CNIL to assess whether Google had breached data protection law. On 3 January 2014, CNIL fined Google €150,000, the maximum penalty it is able to impose. Spain had already fined Google €900,000. Other European regulators, including the UK Information Commissioner, have yet to make a formal decision. Although these fines are insignificant to an organisation of the finanical stature of Google, it should be borne in mind that the new draft Data Protection Regulation, anticipated to be adopted in 2015, has recently been approved by LIBE and that, the maximum fines in that draft equate to the greater of €100m or 5% of global annual turnover for serious breaches of the Regulation.

However, in the US, recent fines have been on a far greater scale than those so far imposed in Europe. And these fines relate specifically to the very same issues in hand (ie the Safari workaround) which are brought by the claimants in Vidal-Hall. Google has (to date) been fined US$39.5m in penalties and settlements with public authorities in the US, including a US$22.5m civil penalty issued by the Federal Trade Commission (FTC) and a US$17 settlement with 38 US State Attorney Generals. Furthermore, Google is also subject to a significant number of other class actions or concurrent private claims.

Conclusion

So, cumulatively, whilst the European monetary penalties are small, the current class action, added to the outstanding UK regulator’s decision (which may amount to up to £500,000 for the maximum fine) and the proposed draft Data Protection Regulation, together with the existing US fines, indicate that Google and other organisations which have been operating in what would appear to have been a liberal environment, will have to take signficantly greater care in future activities and operations which may have an impact on users’ privacy.

Philip James is Joint Head of Technology and leads Pitmans’ Data Privacy & Information Law group. Philip assists clients in devising effective data strategies to achieve compliance, brand integrity and IP asset growth. Philip leads on Pitmans’ Cyber Risk Management practice and is a key member of the firm’s Media & Entertainment and Defence & Security sector groups.