High Court Judge Mr Justice Michael Tugendhat has declared in the case Vidal-Hall & Ors v Google Inc.  EWHC 13 (QB) (16 January 2014) that infamous U.S. corporation Google Inc. (‘Google’) will face the scrutiny of the UK courts in a privacy claim brought by three British Internet users (the ‘Claimants’), who have started a group known as the ‘Safari Users Against Google’s Secret Tracking’ (the ‘Claimants’).
By way of background since the summer 2011, all versions of the Safari browser installed on Apple Inc. (‘Apple’) devices have been set by default to block third-party cookies to prevent advertising-related tracking. The Claimants allege that between September 2011 and February 2012, Google circumvented Apple’s default Safari settings to place covert tracking cookies, specifically the DoubleClick ID cookie, on their devices. This allowed Google to unlawfully monitor their online browsing activities, referred to as the ‘Safari Workaround’, for the purposes of furthering its AdSense service with advertisers. As a result, the Claimants argued Google was able to obtain and collate a vast amount of their private information, including their IP address, Internet browsing habits, shopping habits, interests and hobbies, news reading habits, religious beliefs, racial origin, social class, political affiliation, age, gender, and geographical location – all without their knowledge or consent. Consequently, the Claimants plead they have suffered damage to their personal dignity, autonomy and integrity, causing them anxiety and distress, for which they seek aggravated damages and an apology.
The preliminary issue of contention in bringing this claim lay in the fact that Google is a corporation registered in Delaware, calling into question the appropriate jurisdiction to hear the case. Considering the potential financial burden, it was deemed disproportionate for the Claimants to bring a claim before U.S. courts. As a result, on 12 June 2013, a Master granted the Claimants permission to serve the claim from outside of the jurisdiction on Google in its principle place of business in Mountain View, California. On 12 August 2013, Google applied to the court for an order setting aside service, on the grounds that it did not consider the English courts to have the jurisdiction to hear the claim.
The High Court judgment has now clarified that under UK law, a court will only give permission for a claimant to serve outside the jurisdiction if the claimant can satisfy the court that England and Wales is the ‘proper place’ or ‘forum conveniens’ to bring a claim (Civil Procedure Rule 6.37(3)). There are two permissible grounds for service outside the jurisdiction under Practice Direction 6B, including:
Paragraph 3.1(2) - in cases where a claim is made for an injunction ordering the defendant to do or refrain from doing an act within the jurisdiction
Paragraph 3.1(9) - in cases where a claim is made in ‘tort’ where damage is sustained within the jurisdiction or the damage resulted from an act committed within the jurisdiction
An injunction may only be granted under 3.1(2) if the court deems there is an appreciable risk that without the injunction, the defendant will in the future interfere with the claimant’s rights. Evidence before the court suggested that Google had ceased the conduct complained of and destroyed the Claimants' information. Judge Tugendhat therefore held insufficient grounds to satisfy 3.1(2). In the alternative, the Claimants were forced to only rely on 3.1(9). Interestingly, the High Court held that while a claim for breach of confidence could not be construed as a tort for the purposes of 3.1(9), a claim for the misuse of private information could. This interpretation could have wide implications, redefining the traditional understanding of how the right to privacy should be viewed in the English courts. Considering this to be a serious question of English law to be tried, and that the focus of the case to be on where the damage suffered by each Claimant had occurred, the court concurred that England was the appropriate forum for this case to be heard.
In addition to pleading the tort of misuse of private information, the Claimants pleaded that Google had processed their personal data in breach of its duties as a data controller under section 4(4) of the Data Protection Act 1998 (‘DPA’). Specifically, Google failed to comply with the data protection principles to process their personal data fairly and lawfully. The Claimants alleged the following violations of the DPA:
Contrary to Schedule 1 Part II Paragraph 2(1)(a), the Claimants were not provided with or informed of the requisite information under paragraph 2(3) thereunder
Private information was obtained without the knowledge or consent of the Claimants contrary to Schedule 1 Part II Paragraph 1(1)
None of the conditions of Schedule 2 were met
None of the conditions of Schedule 3 were met in relation to the Claimants' private information, which amounted to sensitive data under the DPA
Contrary to the second data protection principle, the private information was not obtained for any lawful purposes
Contrary to the seventh data protection principle, Google failed to ensure that appropriate technical and organisational measures were taken to prevent the unauthorised or unlawful processing of the Claimants' data
Google challenged this head of claim, refuting the argument that the Claimants' browser-generated information constituted ‘personal data’ within the meaning of the DPA. However, the High Court relied upon guidance from the Article 29 Working Party Opinion on Personal Data WP136 to clarify ‘an individual’s search history is personal data if the individual to whom it relates is identifiable. Though IP addresses in most cases are not directly identifiable, by search engines, identification can be achieved by a third party…Unless an Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data to be on the safe side…when a cookie contains a unique user ID, this ID is clearly personal data. The use of persistent cookies with a unique user ID allows tracking of users and the behavioural data generated through these cookies allows focusing even more on the personal characteristics of the individual concerned.” This certainly sets the precedent for a much broader interpretation of personal data in the UK courts, much to the detriment of online service providers and advertising networks.
For Google’s contravention of the DPA, the Claimants claimed to be entitled to damages under Section 13(1) of the DPA, which provides the right compensation for any violation of Section 4(4) of the DPA. Google, however, again dismissed the Claimants' arguments, underlining the fact that Section 13(1) only provides the right to compensation for distress where financial loss can also be demonstrated. However, the High Court considered that because the Claimants' right to privacy under Article 8 of the European Convention of Human Rights had been engaged, the distress suffered by the Claimants could pass the threshold of seriousness to warrant compensation regardless of financial loss. The High Court left the debate on damages to be decided at trial; however, if Judge Tugendhat’s judgment is any indication, it seems likely that the requirement to demonstrate financial loss as a precursor to claiming damages for distress under the DPA could be relinquished. This decision could potentially open the floodgates to a proliferation of claims under the DPA.
Following the announcement from the High Court that Google will face the UK courts for further scrutiny, one of the claimants, Judith Vidal-Hall, commented in a statement to the press, “We want to know how Google came to ignore user preferences to track us online; how did they get around Apple’s program settings – they have said it was accidental, but how do you accidentally interfere with someone else’s program? We want to know how long they have done this for, what they’ve done with our private data, how much they have made from this, and why they keep flouting privacy laws? This case is about protecting the rights of all Internet users who use a company that is virtually a monopoly but seems intent on ignoring their right to privacy.” In response, a Google spokesperson commented “We still don't think that this case meets the standards required in the UK for it to go to trial, and we'll be appealing today’s ruling.”
This will not be the first time Google will be the subject of court scrutiny. In August 2012, Google faced a fine of $22.5 million levied by the U.S. Federal Trade Commission for the violation of the promise not to place tracking cookies on the Safari browser. Google also faced a sprawling class action in October 2013 over allegations of violations of various U.S. federal privacy laws by developing a computer code which circumvents the default privacy settings on Safari designed by Apple, to specifically prevent third parties from tracking the browsing activities of Safari users. This action was set aside for lack of standing; however, in November 2013, Google paid out more than $17 million in damages to settle U.S. consumer-based actions brought by U.S. attorneys general representing 37 U.S. states. The proliferation of legal actions to date against Google led Judge Tugendhat to conclude in his judgment, “The Defendant’s past and current behaviour, and responses to enforcement action by authorities, demonstrates that it has an institutionalised disregard for both the privacy of its billions of users and for the regulatory regimes of the countries in which it operates.”
We wait with bated breath to see if the case proceeds to trial, or if Google will slip through the net by appealing the High Court’s decision.