In a recent speech, the President of the Supreme Court expressed his concerns about the difficulties of exercising effective control over publications on the internet, particularly in light of “astonishing developments in IT”. He noted that the territorial nature of courts can make them powerless against the global nature of the internet and the ease of publishing information online. He called for unspecified changes in the law.
This article looks at recent developments in the law concerning the right to control information on the internet and how individuals and businesses may use that to exercise some control over what is published about them online.
According to a report commissioned by Thomson Reuters, the number of reported privacy cases in the UK courts has doubled over the past five years. Below, we look at three cases brought in 2014 by individuals against Google, before noting what these cases mean for businesses.
The right to be forgotten
European and UK data protection legislation affords some protection to individuals in respect of their identifiable personal data, a point reinforced by the European Court of Justice’s (“ECJ”) landmark decision in Google Spain SL and Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja González (C-131/12) (“Google Spain”).
In Google Spain, the ECJ upheld a complaint against Google Inc by an individual who had requested the removal from Google’s search engine of a link to an article which reported that his property had been forcibly sold to recover his personal debts. The ECJ made the following key findings:
- search engines must be compliant with the Data Protection Directive (the “Directive”) as their activities qualify them as both “data processors” and “data controllers”, provided they fall within the Directive’s territorial reach;
- where a search engine establishes a branch or subsidiary in a Member State in order to promote its services to inhabitants of that Member State, the Directive applies to that subsidiary, even if its servers are based in the US and the data processing takes place outside the EU; and
- individuals have the right to obtain the rectification, erasure or blocking of their personal data where its processing does not comply with the Directive, for instance, due to the data being incomplete or inaccurate, irrelevant or outdated. The ECJ found that individuals could request a search engine to remove links to lawfully published articles about them without any need to show that the processing of the data caused them prejudice (which has become known as the “right to be forgotten”).
Browsing information and targeted adverts
Individuals brought a claim against Google Inc for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (the “DPA”), based on Google’s use of a certain type of cookie which enabled the tracking and collection of individuals’ browser activity. Google then sold this data to advertisers who used it to send targeted advertising to those individuals.
The judgment (Vidal-Hall v Google Inc  EWHC 13 (QB),being appealed) demonstrates the broad scope of the DPA. The judge found that, even if the browsing information obtained by Google was not immediately identifiable in Google’s hands, a third party might identify the individuals from the targeted ads. If so, the “footprint of that person’s interests, relations and intentions” which Google had collated would be identifiable personal data which must be treated in accordance with the DPA. The judge’s preliminary view was that the distress which the individuals suffered when they discovered that they might have been identified from the targeted ads was likely to be sufficient to claim damages for distress under the DPA and for misuse of private information, even though they had not even alleged that any third party had in fact identified them nor that they had suffered any monetary damage. However, he acknowledged that this was a controversial question in a developing area of law which should be decided at trial.
Hegglin v Google Inc: broad international reach of Directive
The ECJ’s findings in Google Spain on the broad territorial reach of the Directive were applied by the English High Court in its July 2014 decision on a preliminary application in Hegglin and Persons Unknown v Google Inc  EWHC 2808 (QB).The court granted permission to serve Google Inc as an overseas defendant, to a businessman resident in Hong Kong, but who had connections in the UK and was a director of a company preparing to float on the London Stock Exchange. The claimant had requested an injunction on the basis of the statutory tort under section 10 of the DPA, ordering Google to block certain sites and to take all reasonable and proportionate technical steps to prevent the snippets of abusive and defamatory allegations which had been posted on the websites from appearing in its search results.
As the case was settled at the end of November 2014, it is unclear whether the court would have granted an injunction in such wide terms and this point remains to be tested in future cases.
Article 29 Working Party weighs in
Recently the Article 29 Working Party (an EU committee of national data protection authorities) has agreed on a common "tool-box" to ensure a coordinated approach to the handling of complaints resulting from search engines’ refusals to “de-list” complainants from their results. Inconsistent approaches to requests to remove links demonstrate the difficulties data controllers face in balancing the data subject’s request for the links to be removed with countervailing rights (eg the economic interest of the search engine and the right of the public to access such information in certain circumstances). It has announced that it will set up a network of dedicated contact persons to develop common case-handling criteria to handle complaints by the data protection authorities. This network will provide the authorities with a common record of decisions taken on complaints and a dashboard to help identify similar cases as well as new or more difficult cases.
Implications for businesses
Whilst Google has grappled with over 91,000 requests from individuals to remove links, the courts’ findings are not limited to search engines. Any organisation acting as a data controller may face requests for personal data which is not being processed in accordance with the Directive (for instance, because it is incomplete or inaccurate, irrelevant or no longer relevant, or excessive in relation to the purpose for which it was collected) to be removed.
Additionally, the ECJ’s findings on the territorial reach of the Directive in Google Spain make it easier for claimants to sue overseas defendants for breaches of the DPA before the UK courts and to request the take-down of offending data, which is likely to mean that data controllers will face an increasing number of requests.