In two recent speeches, Lord Neuberger (the President of the Supreme Court) remarked that “astonishing developments in IT” – the speed of global communications and the ease with which words can be secretly recorded and doctored – may make it inevitable that the law on privacy and communications may have to be reconsidered.
With 3 billion internet users worldwide, Lord Neuberger noted that the internet presents both unprecedented opportunities for free speech but also unprecedented opportunities for encroachment on individuals’ Article 8 right to private and family life.
Focusing on the legal challenges thrown up by the internet, he queried whether anonymous speech on the internet is even capable of protection in the internet age. This view flowed from Author of a Blog v Times Newspapers Limited  EWHC 1358 (QB) which established that blogging could not be protected under UK privacy law because it is an essentially public rather than a private activity. Lord Neuberger noted that this decision could be applied in future judgments in relation to posts on social networks such as Flickr and Instagram.
However, Lord Neuberger also noted that European and UK data protection legislation does afford some protection to individuals in respect of their identifiable personal data. With this in mind, we turn the spotlight on three 2014 cases brought against Google and examine their implications for future claims.
VIDAL-HALL V GOOGLE INC - BROWSER ACTIVITY AND TARGETED ADVERTISING
Individuals resident in England brought a claim in the English Courts against the US firm, Google Inc, for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (the “Act ”) (Vidal-Hall v Google Inc  EWHC 13 (QB)). The claim was based on Google selling to advertisers’ information on individual users’ browser activity, without their consent. The information was derived by Google from a certain type of cookie which enabled the tracking and collection of individuals’ browser activity. Advertisers then used that information to send targeted advertising to those individuals.
In a preliminary ruling which demonstrates the broad scope of the Act, Tugendhat J refused Google Inc’s application to set aside the claimants’ permission to serve out of the jurisdiction and found that the “footprint of that person’s interests, relations and intentions” collated by Google was identifiable personal data which must be treated in accordance with the Act.
Tugendhat J’s preliminary view was that the anxiety and distress which the individuals suffered when they discovered that a third party might have personally identified them, could be sufficiently serious to claim damages for distress under the Act and/or for misuse of private information, even if none of the claimants had suffered any pecuniary damage and even though none of them alleged that any third party had in fact identified them from the ads.
On 8 December 2014, the hearing of Google’s appeal commenced in the Court of Appeal and judgment is expected in 2015.
WHAT IS “DAMAGE” FOR THE PURPOSES OF THE ACT?
Tugendhat J acknowledged that this was a controversial question in a developing area of law which should be tested at full trial. If his judgment is upheld, Tugendhat J’s broad preliminary findings on the meaning of “damage” under section 13 of the Act will extend the long arm of the law.
One of the grounds upon which the court can grant permission for a claimant to serve an overseas defendant is that the claim is in tort and the damage was either sustained within the jurisdiction or sustained as a result of an act committed in the jurisdiction (or both) (PD 6B 3.1(9)(a) and (b)). Therefore, if distress can constitute damage, it will be easier for claimants to hook overseas defendants into Act claims in this jurisdiction. Tugendhat J stated, obiter, that he considered that both grounds under PD 6B 3.1(9) were made out, as the damage in this case resulted from the publication of the targeted adverts on the claimants’ screens in England.
Tugendhat J gave short shrift to Google’s argument that its Article 10 right to disseminate information and the right of internet users to receive that information should weigh significantly in the balance against the claimants’ Article 8 rights. The information collected by Google was a form of commercial information communicated to further the private interests of Google Inc and did not attract the same weight as political, journalistic or artistic expression.
GOOGLE SPAIN - THE ‘RIGHT TO BE FORGOTTEN’
In the widely publicised case of Google Spain SL v Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) (“Google Spain”), the ECJ upheld a complaint against Google Inc by an individual who had requested the removal from Google search results of links to an article which reported that his property had been forcibly sold to recover his personal debts. The ECJ made the following key findings:
- Search engines must be compliant with the Data Protection Directive 95/46/EC (the “directive”) as their activities qualify them as both “data processors” and “data controllers”, provided they fall within the directive’s territorial reach;
- Where a search engine establishes a branch or subsidiary in a Member State in order to promote its services to inhabitants of that state, the directive applies to that subsidiary, even if its servers are based in the US and the data processing takes place outside the EU;
- Search engines are obliged to remove from their search results links to web pages published by third parties which contain personal data about an individual, if the data processing isn’t lawful under the directive – for instance, because the data is incomplete or inaccurate, irrelevant or no longer relevant, or excessive in relation to the purpose for which the information was collected or processed;
- Individuals may make a request for removal of a link to a data controller, who must examine the merits. Where the request is not granted, the individual may bring the matter before each member state’s supervisory authority, which has the power to make an order;
- A data controller faced with a request must balance the data subject’s right to request removal of such links with the right of internet users to have access to that information. The general rule is that the data subject’s rights will outweigh those of other internet users and the economic interests of the search engine operator. Factors which might tip the scales include the sensitivity of the information to the data subject and the importance of the public having access to the information due to the role of the data subject in public life;
- Where the balance lies in the data subject’s favour, the search engine operator is obliged to remove the links even if the publication on the web pages is lawful (eg because it benefits from an exemption under the directive for articles “solely for journalistic purposes”). The data subject need not show that the data processing caused them any prejudice.
GOOGLE SPAIN - IN APPLICATION
The High Court acknowledged the impact of Google Spain on claimants wishing to serve overseas defendants in its July 2014 findings on a preliminary application by an individual to serve Google Inc in England (Hegglin and Persons Unknown v Google Inc  EWHC 2808) (“Hegglin”)).
The Court granted permission to serve Google Inc as an overseas defendant for an injunction not only requiring Google to block certain websites which contained abusive and defamatory allegations about the claimants but also to take all reasonable and proportionate technical steps to avoid snippets of the defamatory allegations from appearing in its search results.
As the case settled in late November 2014, it is unclear if the court would have accepted that Google Inc was required to go this far in order to meet its obligations under the Act. However, in granting permission to serve Google Inc, Bean J considered that there was a good arguable case for the grant of some form of injunction against Google Inc even though it had already taken steps to block the links to the offending material from its search results.
He also found that the ECJ’s findings in Google Spain made it easier for him to grant permission to serve out of the jurisdiction, because there was a good arguable case that Google Inc was under an obligation, enforceable in England, to comply with the Act when hosting the sites on which the offending material appeared and when operating a search engine.
Whilst Google has grappled with over 91,000 requests from individuals to remove links, the court’s findings are not limited to search engines. Any organisation acting as a data controller may face requests for the removal of personal data which is incomplete, inaccurate or outdated. As the data subject’s right to request removal may be outweighed if there is a public interest in the public accessing the data, organisations facing such requests will therefore need to treat requests on a case-by-case basis.
As these cases show, the territorial reach of the directive is extensive; data controllers which process data outside the EU but have subsidiaries or branches conducting marketing activities within the EU need to comply with the directive.
If the EU Commission’s draft General Data Protection Regulation – currently the subject of intense negotiation – comes into force, the net will be thrown even wider. The current draft wording would, for example, extend data protection obligations to data controllers outside the EU if they were offering goods or services (whether paid for or not) or monitoring the behaviour of data subjects in the EU – provisions which would bite on a huge swathe of online services providers based outside the EU who process EU customers’ data. Unsurprisingly, it has received strong criticism from countries like the US, in which many online services powerhouses are based.
Whilst the Regulation, if agreed and passed, is unlikely to come into force until 2017, the current draft also expressly enshrines a more stringent ‘right to erasure’ which would be likely to give rise to a greater number of claims. For instance, it currently provides that individuals have the right to obtain the erasure of personal data relating to them and of links to that data where the data controller was relying on the “legitimate interests” ground to process the data, unless the controller can show that the retention of the data is necessary in order to exercise the right of freedom of expression.
In the meantime, the Article 29 Working Party (an independent advisory body comprising representatives of the Member States’ national data protection authorities) has adopted guidelines containing common criteria to be used by data protection authorities when addressing complaints about search engines’ refusals to delist when faced with a request. It remains to be seen whether these will lead to a more consistent implementation of the ECJ’s findings in Google Spain.
This article was published in New Law Journal in February 2015.