Google knows a lot about us and the searches we make. By watching the things we search for it can identify what we might want to buy and target (or sell the opportunity to its clients to target) suitable adverts at us. The English Court has decided to rule on whether it can do so.
Three UK-resident individuals issued a claim against US-based Google for misuse of their private information and breach of statutory duties under the Data Protection Act 1998 by tracking and collating information relating to their internet use on Apple’s Safari browser (bypassing Safari's user privacy settings in the process) without their knowledge or consent (Vidal-Hall and others v Google Inc).
In this way, Google was able to and did obtain and collate information including internet surfing habits, social class, racial origin, physical and mental health, sexual interests and financial situation. This information was then used to put users into labelled groups, so that advertisers could choose from these groups when selecting who to display their adverts to.
The claimants’ case is that the targeted ads on their screen could have disclosed sensitive information about them to people looking at their screens, and this has caused them to suffer distress and anxiety. They do not actually say that any third parties have discovered information about them which was detrimental or that they have suffered any financial damage, which may in due course be problematic to their claims.
After the claim was issued, Google challenged the permission to serve it on them in the US and asked for a declaration that the English Court had no jurisdiction to try the claims brought against it.
In refusing Google’s application, Tugendhat J considered the requirements in the Civil Procedure Rules (CPR) for service outside of the jurisdiction and concluded that:
- the claimants had a good arguable case that fell within the (CPR) ground relied on
- there was a serious issue to be tried
- England is the appropriate forum to try the dispute.
The Judge's conclusions on various aspects of data protection and privacy were particularly interesting. He held that:
- misuse of private information is a tort within the meaning of CPR 3.1(9) (ie where damage was sustained within the jurisdiction or as a result of an act committed within the jurisdiction)
- the damage alleged did not have to be economic or physical (as argued by Google); damage should be given its natural and ordinary meaning and in this context could mean damages for distress
- the definition of 'personal data' within the meaning of the DPA could include the data collated by Google. The Judge disagreed with Google's arguments that the information it collated was anonymous, finding that a cookie containing a unique ID for each internet user was clearly personal data. The Judge also acknowledged the claimants' argument that an internet user could be identified by third party viewers who saw the targeted advertising that was sent to a user's screen.
The Judge acknowledged that the issues of English law involved were complex and a developing area and therefore it would be costly for an American Court to resolve these issues; burdensome for the claimants to litigate there; and concluded it would be better for all parties to resolve these issues before an English Court.
The clear statement by Tugendhat J that misuse of private information is a tort is potentially an important one (if it is subsequently followed by the trial judge), as this is a relatively new and developing area of English law. It is also significant that the Judge held that the claimants could rely on the DPA despite not having suffered any financial loss and also suggested that the meaning of personal data under the DPA could be extended to include information that does not expressly identify the user.
If it goes to trial, this case will be watched closely both by those who are worried about online privacy and by online advertisers, as well as practitioners in privacy and data protection law. It will be interesting to see how a trial court interprets Tugendhat J's views in due course.
Google has already faced regulatory sanctions in the USA following discovery of their collection of information from Safari browsers; the company agreed to pay $22.5 million in 2012 and $17 million in 2013 to settle charges brought against them and was required to give a number of undertakings governing its future conduct in its dealings with its US-based users. This dispute is now set to come to England.
The author Georgina Shaw is a member of Burges Salmon's Intellectual Property Disputes team led by Jeremy Dickerson.