Since the European Court of Justice issued the Google Spain decision – recognising a 'right to be forgotten' and establishing Google as a data controller subject to EU law – data privacy litigation has exploded, dragging more companies and their activities and services into the fight. Some say that this is long overdue and the law is finally trying to cover ground which it lost to technology, jurisdiction and globalisation. Others argue that this EU data privacy spring is fuelled by jealousy of the worldwide success of US tech companies. What has resulted is a classic power struggle over whether US tech e-commerce will allow EU law to control its activities. While this battle rages on, what is also clear is that media and entertainment lawyers now have new tools to help their clients, whose priorities have shifted away from dealing only with privacy threats from traditional media towards online threats from new media which provide alternative (and far wider) access to information, can cause far more damage and distress, and often have great influence over how individuals and their businesses are perceived by others.
As a result, the takedown has become the new injunction as clients often want information removed first and foremost ahead of damages, with search engines being the most practical target given the number of other potential parties in the chain of publication and their popularity as an online access point. Therefore, the momentum of new information case law is crucial for media lawyers – especially as most of the cases focus on making gains against US service providers that are traditionally based outside the jurisdiction and have historically been able to avoid any real threat of litigation or legal obligation to comply with requests or claims under EU law. As new risks have now emerged where none previously existed – especially as media clients are likely to keep driving litigation in this area – this update examines four key developments in the field.
In Vidal-Hall v Google Inc ( EWCA Civ 311) – widely seen as a test case – each of the three claimants (based in the United Kingdom) had used the Apple Safari browser to search the Internet, after which Google (based in the United States and using cookies) tracked and collected browser-generated information regarding their internet usage without their knowledge and gave it to advertisers, which then used it to send targeted ads back which appeared on their display screens and were seen by others, causing distress. Damages claims for distress were brought for breach of privacy, confidence and data protection. Google applied for a declaration that the English courts had no jurisdiction, plus an order to set aside the claim form served upon them out of the jurisdiction. Following Google's appeal of the adverse decision at first instance, the Court of Appeal ruled on two important issues.
First, for a UK-based claimant to sue a US defendant, permission is required from the English court, which will be granted only if certain criteria are met – one of those being that the claim falls into a 'gateway'. Although disputed by Google, the court upheld the first-instance decision that a claim for privacy is one in tort falling into one of the specific gateways allowing such an action to be brought against a foreign defendant in the English courts – it being separately accepted by both parties that a claim for breach of data protection would also be so.
Second, although claimants have historically been prevented from claiming damages for distress for breach of data protection in "non-special purpose cases" unless pecuniary loss can be proved (under Section 13 of the Data Protection Act 1998) – and while Google argued that this meant that there was no serious issue to be tried – the court thought otherwise, ruling that compensation for emotional distress could be awarded without pecuniary loss. This was in line with the EU Data Protection Directive (95/46/EC), from which the Data Protection Act derived. The court held that this needed to be interpreted widely so as to be consistent with its original intention (ie, to protect privacy, not economic rights), and thus ruled that Section 13 be disapplied insofar as it is incompatible with the directive.
Mr Mosley, having battled against the online accessibility (via various websites) of photographs and video footage of himself partaking in an orgy since winning his privacy claim against the News of the World in 2008, has undertaken a wave of subsequent litigation against Google for continuing to allow access to them. Although Mosley had the right for URLs leading to the photographs and video to be forgotten, he sought to go one step further, seeking judgments from various EU courts ordering Google to de-index and block access to them altogether (rather than merely delisting on request when identified), in the same way that it can with child pornography images. The argument for this was that retrospectively requesting removal, URL by URL, was a "Sisyphean task". After bringing claims and obtaining such decisions and orders in France and Germany, he brought the same claim in the English courts and Google applied to strike it out, arguing that it had no reasonable prospect of success. The English Court disagreed (Mosley v Google  EWHC 59 (QB)).
While the court felt that Mosley's claim for breach of privacy was problematic – since Google Spain established Google as a data controller, exposing it to the obligations under the Data Protection Act – it decided that his claims for breach of his rights as a data subject under Sections 10, 13 and 14 had more than a reasonable prospect of success, for several reasons. The court thought it plainly believable that Mosley had suffered distress and was not convinced that various provisions of the EU E-Commerce Directive (2000/31/EC) (most notably, the principle of free movement of information society services between members states, protections afforded to those who cache information and the general prohibition on monitoring) prevented the claim from having any prospect of success; it therefore held that such issues should be decided at trial. Thus, Mosley's claim under Section 10 that Google stop processing his sensitive personal data (as it was causing substantial and unwarranted damage or distress) was held to be viable. Google – having since lost Vidal-Hall – and Mosley have now settled.
Global Witness, which campaigns against corruption in the natural resources industry, carried out investigations into and published a series of reports alleging corruption regarding the activities of Mr Steinmetz and three other executives of his companies BSG Resources and Onyx Financial Advisors. In response, they brought numerous claims under the Data Protection Act, including for breach, subject access, preventing distressing processing, damages, rectification and blocking. Global Witness sought to assert a defence under Section 32 on the basis that the processing involved was for the special purpose of journalism. The claimants argued that the defence was limited in scope to conventional journalism, not campaigning. The High Court passed the claims on for determination by the Information Commissioner's Office (the UK regulator), which ruled that the exemption (while not an automatic defence) applies to anyone engaged in public-interest reporting – not just conventional media – and is widely defined as imparting information and ideas to the public by any means, which must include Article 10 (freedom of expression) and public interest considerations. As a result, Global Witness had an absolute defence halting the claims (Steinmetz v Global Witness  EWHC 1186 (Ch)).
Under the Criminal Justice and Courts Act 2015, 'revenge porn' (ie, the unauthorised sharing of private sexual photographs or videos, usually online) has been criminalised for the first time in the United Kingdom after becoming a growing concern, often among young people (predominantly women) in relationships that end acrimoniously. It is epitomised by, for example, the disclosure of sex tapes or intimate images consensually exchanged or sent privately, later published by an ex-partner for revenge, which then proliferate across the Internet and cause immense distress. Sometimes even suicide results. It is now an offence to disclose by any means (eg, email, social media, instant message services, uploading, text) a "private sexual photograph or film" (ie, one not ordinarily seen by the public which shows anything that a reasonable person would consider to be sexual) if the disclosure is made "without the consent of the individual who appears" and "with the intention of causing that individual distress", which must be proven. There are defences, such as disclosure with a view to publication of journalistic material reasonably believed to be in the public interest. Those guilty face a sentence of up to two years in prison. Separately (perhaps in response to the recent celebrity iCloud photo leaks), Google has announced a new policy whereby it will remove "nude or sexually explicit images shared without their consent" from Google search results, seemingly across its global domains – critically, including its '.com' domain, which it has argued to date is not subject Google Spain and to which the right to be forgotten does not extend. Some have commented that this change has opened the door in the United States to such a right.
It seems clear from the above cases that the English courts are now the place to assert a claimant's data privacy rights against foreign tech companies (now exposed to liabilities under the Data Protection Act), as they have the jurisdiction to hear such claims and can potentially order a search engine to:
- stop processing or tracking information;
- delist or block access to information (including defamatory allegations; see Hegglin v Persons Unknown  EWHC 2808 (QB)); and/or
- pay damages for pure distress caused.
Further, unless such processing takes place for the special purpose of journalism (as it would for a traditional newspaper defendant), a defence is unlikely to be easily raised. If the data concerned can be categorised as revenge porn, its dissemination could be criminal and therefore contrary to website terms and conditions, and vulnerable to removal from Google's global search results in any event.
Although Google Spain concerned only search engine services, can it remain sustainable for similar companies which offer other online services to EU or UK nationals and process their personal data (eg, Twitter, Facebook, YouTube, WhatsApp, TMZ) to avoid liability? While these and hundreds of other websites continue to be the access point for information (rather than newspapers), they will continue to become takedown targets when unlawful content proliferates across them. It appears that the threat of UK-based litigation is no longer so weak as to allow such companies to ignore genuine claimants, as doing so could lead to a new test case. Equally, photo leaks and email hacks resulting in online information disclosure will no longer solely be the responsibility of the victim or law enforcement, as search engines will respond to requests to block, and those websites continuing to publish (as well as the uploader) will be exposed to civil and criminal claims and consequences. The real question is what will happen when unsuccessful defendants flout the decisions and orders made against them, making enforcement necessary. While hackers may avoid justice, will listed companies publicly refuse to cooperate and expose executives travelling to the United Kingdom to contempt of court proceedings?
With various EU regulators now taking separate actions against online service providers – as exemplified recently by the French data protection authority giving formal notice to Google to delist URL links from all of its domain names worldwide (not just EU sites) or face penalties and the Belgium Privacy Commission's decision to take Facebook to court over its tracking practices of non-users and opt-out mechanisms – this battleground shows no sign of abating. There is potential for many other companies outside the European Union to be dragged in, particularly with the new EU General Data Protection Regulation threatening to materialise at some point and bring big fines. Over and above the threat of a public or media backlash against online services failing to act responsibly in this new age – as starkly exemplified by calls for Twitter to do more against trolls – the true legal ramifications of the data privacy revolution for companies in this area may only just be beginning.
For further information on this topic please contact Gordon Williams or Michael Yates at Lee & Thompson by telephone (+44 20 3073 7600) or email (firstname.lastname@example.org or email@example.com). The Lee & Thompson website can be accessed at www.leeandthompson.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.