In the recent case of Vidal-Hall & Ors v Google Inc  EWHC 13 (QB), the High Court granted three Claimants permission to serve proceedings outside the jurisdiction against Google Inc (“Google”) for misuse of private information, breach of confidence and/or breach of the Data Protection Act 1998 (“DPA”). The claims relate to the use of anonymised internet usage data for targeted advertising without consent. The Claimants required the Court’s permission to serve the claim as it is being brought outside the normal jurisdiction of the English courts against “Google Inc” (based in California) and not the UK company “Google UK Ltd”.
In response to the Claimants’ application, Google filed its own application, seeking an order which declared the Court had no jurisdiction over the claims against it. The Court dismissed Google’s application and granted the Claimants the permission they had applied for. Google intends to appeal the ruling, which could have important ramifications for Google and other businesses (whether based in the UK or abroad) which exploit user data for advertising purposes.
The claim against Google Inc
All three Claimants accessed Google’s services (including search facilities, Gmail and Maps) using Apple’s Safari browser. The Claimants allege that, without their permission, Google tracked their usage and collected personal data (such as interests). Although this data was anonymised by Google, it was grouped according to content and resulted in targeted advertising being to delivered to the Claimants based on their interests (for example ‘football lovers’ might be grouped together, and those users might receive football–related advertisements).
The Claimants allege they suffered damage as the advertisements on occasion disclosed personal information and were, or might have been, seen by third parties viewing the Claimants’ devices. Notably, none of the Claimants pointed to any particular harm resulting (for example a lost job opportunity or damage to a relationship), though all three claim to have been caused anxiety or distress by the targeted advertising.
Apple’s Safari browser has default privacy settings aimed at preventing usage tracking and personal data collecting, such as that allegedly carried out by Google, which blocks third party cookies (e.g. from advertisers) by default. Safari does, however, make certain exceptions to this rule so that websites are fully functional when viewed. The Claimants allege that Google exploited Safari’s exceptions in order to carry out exactly the type of data collecting and tracking the default settings were designed to prevent. The data was then aggregated into groups and offered to advertisers.
In addition to general damages, the Claimants seek aggravated damages on the basis Google was or ought to have been aware that it was exploiting a workaround to undermine Safari’s settings, and an account of profits made by Google out of each Claimant’s personal data. The Claimants also seek an injunction to prevent Google from continuing its conduct.
The fact that one of the Claimants’ claims relates to the misuse of private information is also notable. Misuse of private information is developing cause of action, which has derived over recent years from the law on breach of confidence. However, unlike breach of confidence (which the English courts have held is not a tort), misuse of private information at least appears to be a tort. Google’s position was that the action was not one in tort, but the court disagreed and ruled that it was. The distinction is important because, as a tort, distress or psychological harm will suffice to constitute ‘damage’ (alleviating the Claimants of the need to prove actual loss or physical harm).
The privacy and value of the data
Google argued that, as the data was anonymised when it was sent to advertisers, it was not private. The fact that it was then aggregated did not make it private as it was not private beforehand and could not ‘become private’ once collected.
The Court disagreed, noting that data obtained by Google ‘yields spectacular revenues for which Google Inc is famous’, meaning it was obviously of value once aggregated. However, this did not matter as the claim went beyond whether or not the information transferred by the Claimants to Google was anonymous. The damage only occurred once the targeted advertisements were transferred to the Claimants and displayed on their devices. These adverts would not always disclose private information, but there were ‘particular occasions’ when what might be sent back would be private.
Is internet usage data “personal data”?
Google also sought to refute the Claimants’ claim under the DPA, arguing that the internet usage data collected was not “personal data” for the purposes of the DPA as the Claimants could not be identified from such data and that Google kept it segregated from other data held by it from which the Claimants could be identified.
The Court, however, disagreed with Google, finding that in light of the Article 29 Working Party’s Opinion on the concept of personal data there was a sufficiently arguable case that the internet usage data did fall within the definition of “personal data” in the EU Data Protection Directive (which is implemented by the DPA in the UK).
Whilst this case only relates to three individuals and is not a representative action, its outcome could affect the ability of other users to pursue similar actions (a fact which the Court acknowledged). The Court’s interpretation of the law on the misuse of private information as tort is an important development, and may well impact similar cases in the future, as is the Court’s willingness to find that internet search engine usage data may constitute personal data for the purposes of the DPA even though such data does not directly identify the relevant individuals. Google intends to appeal this decision and so it remains to be seen however whether the Court of Appeal agrees with the High Court’s interpretation of the law on this point.
It is also notable that the Court cited regulatory action taken by Google abroad, for example Google had been fined USD$22.5m by the United States Federal Trade Commission as a result of the type of behaviour complained about in relation to Safari. It had also agreed to pay USD$17m to settle consumer actions brought in the USA, and given undertakings regarding its conduct. This is in addition to criticism and fines imposed by European data protection authorities.
From an EU data protection standpoint, fines for breaches are currently relatively modest when considered in the context of multinational organisations such as Google; for example, in the UK the ICO can impose a maximum fine of £500,000. However, the proposals for reforming the EU data protection regime, which may come into force by late 2016/early 2017, envisage fines of up to €100m or 5% of annual world-wide turnover (whichever is higher), and these should be of significantly more concern to Google and other organisations whose business models are based on the commercial use of personal data especially given the courts’ apparent willingness to broadly interpret the scope of personal data.
Link to case: http://www.bailii.org/ew/cases/EWHC/QB/2014/13.html