A recent decision of the English High Court demonstrates a willingness of European courts to be more assertive in taking jurisdiction in disputes over individuals’ data privacy rights. The court, in Hegglin v. Person Unknown & Google Inc. [2014] EWHC 2808 (QB), agreed to allow a person bring a case against Google Inc. in England, despite that fact that Google Inc. is based in the United States.

The case

Mr Justice Bean in the English High Court granted permission for the proceedings to be served against Google Inc., despite the fact Google Inc. is headquartered outside England. Part of the judge’s reasoning in allowing the service of papers on Google Inc. in California was, amongst other things, the fact that Mr Hegglin asserted that his data protection and privacy rights had been infringed by the search engine.

Mr Hegglin, a businessman currently resident in Hong Kong but with significant business interests and a home in London, initiated legal action against persons unknown and Google Inc. on 20 June 2014. He was seeking to have links to defamatory and abusive posts about him removed from Google search results returned against his name.

Specifically, the claimant sought an interim injunction pursuant to sections 10 and 14 of the UK Data Protection Act 1998 and the Data Protection Directive (95/46/EC):

to prevent the processing of personal data of the claimant which is inaccurate and/or which is causing or is likely to cause him substantial damage or substantial distress.[1]

As Google Inc. is incorporated in Delaware and located in California, Mr Hegglin needed the permission of the English High Court to serve papers on the company before the case could commence.

Old Test, New Media

The English High Court stressed that the traditional judicial test for service outside the jurisdiction must be followed, even in cases involving new technology companies. In this case, the English High Court stated that the claimant must prove to the court that:

  1. there is a serious issue to be tried on the merits of the claim – the court found that the relevant posts were of such a serious and potentially damaging nature that there was clearly a serious issue to be tried;
  2. there is a good arguable case that the claim against the foreign defendant falls within one or more of the classes of case for which leave to serve out of the jurisdiction may be given – Mr Hegglin’s claim for an injunction ordering the defendant to do or refrain from doing something within the jurisdiction is provided for in paragraph 3(1)(2) of the English Practice Direction 6B; and
  3. England is clearly or distinctly the appropriate forum for the trial of the dispute – considering Mr Hegglin’s extensive business dealings in England and together with the fact that he has a home in the country, the court found that the allegedly defamatory posts would impact his reputation in England.

In reaching its decision, the English High Court relied on the recent decision of the Court of Justice of the European Union (“CJEU”) in Google Spain. In that case, the CJEU ruled that Google Inc. was considered to be a data controller for the purposes of the European Data Protection Directive in relation to its provision of web search facilities. Consequently, the court accepted that papers could be served on Google Inc. in California as information about Mr Hegglin was being processed by the company when it returned searches against his name.

In such circumstances, Mr Justice Bean held that there is, at the very least, a good and arguable case that Google Inc. must comply with the provisions of the UK Data Protection Act 1998 when processing Mr Hegglin’s personal data. In order to protect the rights of Mr Hegglin, the English High Court allowed the papers to be served out of the jurisdiction on Google Inc.

No stone unturned

The case is an interesting insight into the increasing role that privacy and data protection rights are playing in litigation in Europe. It shows the willingness of the European courts to take jurisdiction over non-European entities that have allegedly breached European data privacy rights. The case also demonstrates how the Google Spain decision has begun to impact upon new cases being brought in EU Member States.