The privacy headlines this year have been predominantly grabbed by Google Spain, a judgment given in May 2014 (reported here) by the Court of Justice of the European Union (CJEU) which held that Google was subject to European data protection laws and must observe the right of its data subjects in the EU to be ‘forgotten’ from its search engine results. 

However, another case potentially more pertinent to UK data protection law has been quietly building momentum this year, and has now received intervention from the Information Commissioner’s Office (ICO). This week it was announced that the ICO has entered the frame as an ‘interested party’ and submitted evidence, on the basis that elements of the case could be relevant to data protection regulations. 

The case, Vidal-Hall v Google Inc. involves Google and three users of an internet browser. The three claimants allege a breach of their privacy (misuse of confidential information) based on Google’s use of ‘analytic’ cookies, which tracked their online habits on a particular internet browser, in order to display targeted advertising on their browsers. 

‘Cookie law’ has been a topical subject in Europe this year; following the Article 29 Working Party clarification issued in 2012 about the lawful use of cookies. Analytic cookies, the guidance said, required explicit consent from site users in order to be lawful, and users should be provided with clear and comprehensive information about how their information is used. The French data protection authorities announced a ‘cookie sweep day,’ a lock stop date of 15 September 2014 from which the CNIL was to commence a website audit for cookie compliance. Under the French approach, Internet users must also have the ability to block advertising cookies but still be able to use the relevant service. 

In January 2014 the UK High Court held that the case could be heard in the UK, despite Google being based in the US. Google had claimed that the case was not serious enough to fall under British jurisdiction. Google has said they will appeal this ruling, however, the ICO’s recent involvement may make a successful appeal on jurisdiction less likely, having added more reason that there is a serious issue to be considered in the UK. 

This could prove to be a ‘test’ case for privacy and the issue of damages and will be eagerly followed by technology companies in 2015, of particular relevance to US internet service providers with EU operations, and may provide an interesting development for privacy law in the UK.