IP & IT analysis: William Richmond-Coggan, partner and solicitor-advocate at Pitmans LLP, takes a look at a recent Court of Appeal judgment in the case brought against Google by Safari users, regarding tracking and recording of internet browsing activity.

This article was first published on Lexis®PSL IP & IT on 5 March 2015.

Original news

Vidal-Hall and others v Google Inc (The Information Commissioner intervening) [2015] EWCA Civ 311, [2015] All ER (D) 307 (Mar)

Google had sought to set aside the permission that had been granted to the claimants to serve their claim form out of the jurisdiction in their action which alleged misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (DPA 1998). The action for breach of confidence was set aside. The Court of Appeal, Civil Division, dismissed Google's appeal as the pleaded actions were clearly arguable and not pointless. The court held that misuse of private information should be recognised as a tort for the purposes of service out of the jurisdiction and that, in order to make DPA 1998, s 13(2) compatible with EU law, that section had to be disapplied, with the consequence that compensation would be recoverable under DPA 1998, s 13(1) for any damage suffered as a result of a contravention by a data controller of the requirements of DPA 1998.

What exactly is the 'Safari workaround'?

The full explanation is quite technical, but the judgment has a useful annex which contains an explanation of the Safari workaround in detail for those who would like to understand it more fully. In summary, it was a method by which Google managed to circumvent an in-built 'opt-out' by users of the Apple iOS browser, Safari, who believed that they were able to access the internet using the browser without their activities being tracked and recorded by Google and other ad services. The core of it was a method of getting a single data record (a 'cookie') stored on the user's device, which then enabled them to exploit a rule that automatically authorised further cookies registered with the same operator from that point on.

What issues was the court asked to address?

This was a preliminary hearing dealing with jurisdictional issues. But in order to determine those questions, the court had to decide whether the claims were arguable--that in turn meant coming to some conclusions about the existence or otherwise of a tort of misuse of private information.

Will this decision open the floodgates to ordinary Safari users making a claim against Google?

This decision in itself is unlikely to open the floodgates because it is only an interlocutory decision. Other users will be waiting to see if the case goes all the way to trial and, if it does, what the outcome is. Potentially, though, this may come to be seen as the opening of the gates to a far wider pool of claimants. Although the specific workaround has not been in operation for a while, there will have been a significant period of time in which other Safari users (perhaps all other Safari users) will have been subject to exactly the same activity as the claimants in the Vidal-Hall case. Those who are entitled to bring a claim in the English courts will be watching with interest, and anyone who thinks they have been affected should consult with a lawyer in order to preserve their position--not least because of the potential limitation issues given the period in which the workaround was in operation.

Does this case offer any guidance as to the use of browser generated information (BGI) and cookies?

The case makes clear that BGI/cookies are capable of being private and personal information, which has implications under DPA 1998 and also in connection with the tort of misuse of private information identified in this judgment. As such, it has significant implications for those responsible for creating and using cookies and the information stored in them. In summary, the court's guidance is that it is going to be essential that the processing of such information is in accordance with the law, which means that (broadly) it must only be undertaken with consent or for one of the purposes specified in DPA 1998, Sch 2, and that the data must not be retained for longer than required for those purposes, among other matters.

Could information collected by tech companies be considered 'sensitive personal information'? If so, what would be the consequences if such data was found to have been unlawfully processed?

All that the judgment needed to reach a conclusion on (for the purposes of this interlocutory application) was the question of whether it was arguable that BGI was capable of amounting to personal information. The court concluded that it clearly could, regardless of the fact that the data did not include a record of the user's name. It was enough that the data 'individuated' the user. For the personal information to be 'sensitive' it would have to be capable of identifying a user's sexuality, religious or ethnic background, political affiliations or physical or mental health, among others. It is easy to imagine that a great deal of such information might be stored in a cookie which logged the individual's browsing habits, and therefore that the information as a whole might be sensitive personal information. The consequence of that is that one of the further conditions in DPA 1998, Sch 3 must apply for the processing to be lawful. This seems unlikely in most circumstances, with the consequence that an information notice may be served requiring the unlawful processing to be brought to an end. Failure to comply with such a notice would be a criminal offence.

Is this the end for Safari workaround claims?

Far from it--as mentioned above, it is likely that there will be a significant number of further claims awaiting the outcome of the substantive proceedings in the Vidal-Hall case.

How might this ruling impact on claims for misuse of private information?

The broader implications of this decision are potentially very wide-ranging indeed. It is now clear that a separate tort of misuse of confidential information exists, and is actionable without evidence of pecuniary loss (ie damages can be claimed for emotional distress only). While there will obviously be a number of further claims specifically in connection with the storage of private data in BGI and cookies without authorisation, there are also a far wider range of circumstances in which private information might have been misused, causing emotional distress. This offers a range of new opportunities for claims to be brought in respect of such conduct.