New privacy and jurisdiction headache for Google

Three Google users have won a High Court action to bring a claim against Google Inc. in the courts of England and Wales.¹ The users call themselves “Safari Users Against Google’s Secret Tracking” and claim that the tracking and collection of information about their personal internet usage by Google amounts to misuse of private information and a breach of the Data Protection Act 1998 (DPA).

In his judgment, Mr Justice Tugendhat held that the English courts have jurisdiction to try these claims, and found that there is a serious issue to be tried under both causes of action. The judge also confirmed that misuse of personal information amounts to a distinct tort (and not an equitable cause of action). If the claimants go on to succeed at trial, this case could have serious wider implications for Google and other non-EU based search engines when operating in England and the EU.

The claims

All three claimants are individuals resident in England and Wales and have used various Google services through Apple Safari browsers, such as Google’s search engine, Google Maps and Gmail during the relevant period. As most will know, Google provides these services for no monetary charge, and it generates income by collecting information from its users, then processing it to sell to third parties in the form of targeted advertisements. Google analyses the information that it has collected from its users to deduce what the interests of each user are likely to be. The claim concerns the so-called DoubleClick ID Cookie, which by default obtains and collates information including internet surfing habits and interests, as well as personal information relating to racial or ethnic origin, trade union membership, health, age, sexuality and geographical location.

The claimants claim that by tracking and collecting information relating to their internet usage without their knowledge or consent and aggregating the information and selling it to advertisers, Google has misused their private information and/or acted in breach of confidence and/or in breach of its statutory duties as a data controller under the Data Protection Act 1998. Google has in fact since stopped the particular practices complained of (i.e. the use of cookies to circumvent the “do not track” feature in Safari), and Google’s evidence on this point was not disputed by the claimants. The claimants also claim that they suffered damage in the form of distress and anxiety as a result of Google’s use of their personal information to facilitate the display of targeted advertisements on their screens, from which third parties who saw (or might have seen) a claimant’s screen could deduce personal information about that claimant’s personal characteristics, wishes or ambitions. They did not claim any other damages, financial or otherwise.

Jurisdiction

The Civil Procedure Rules of England and Wales (CPR) stipulate that Google cannot be served within England and Wales, since is incorporated in Delaware and its principal place of business is in California, even though Google UK Ltd has offices there. Instead, the claimants needed the permission of the court to serve the claim out of the jurisdiction. On 12 June 2013 the claimants were granted permission by a Master to serve the claim form on Google in California and duly served it there.

Google’s application

On 12 August 2013 Google applied to the High Court for an order declaring that the English court had no jurisdiction to try these claims and thereby setting aside service of the claim form and the order of the Master. Mr Justice Tugendhat had to decide whether to grant Google’s application. If he found in favour of Google, the claimants would have to bring their claims in California or elsewhere in the USA. Google’s case was not that it had never been sued in the English courts, but that this particular action did not fulfil the conditions that must be satisfied for permission to be granted for service out of the jurisdiction.

Applicable test

In order to obtain permission to serve out of the jurisdiction, the claimants relied on two grounds under the CPR (Practice Direction 6B, paras 3.1(2) and (9)). These permit service out of the jurisdiction in cases where:

“(2) A claim is made for an injunction ordering the defendant to do or refrain from doing an act within the jurisdiction …

(9) A claim is made in tort where (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction.”

The judge summarised this test as having three requirements, namely that the claimants must satisfy the court:

1. that they have a good arguable case;
2. there is a serious issue to be tried; and
3. that England is the appropriate forum for the trial of the dispute.

The claimants also sought to rely on ground (9) in relation to the DPA. Google argued that the claimants had failed to make out any of these requirements in relation to their claims.

Decision

The judge first reviewed the claim under paragraph 3.1(2) (the claim for an injunction). Google argued that there was no further risk of interference, since the practices complained of had ceased and the information collected had been destroyed. The judge found this argument persuasive, particularly since there was no dispute that, since the discovery of the company’s collection of the information from Safari, it had faced regulatory action, civil penalties and settled USA consumer based actions amounting to tens of millions of US dollars. In addition, Google had been required to give a number of undertakings about its future conduct in its dealings with users in the USA. For these reasons, the judge found that the claimants could not bring themselves within ground 3.1(2).

Misuse of private information / breach of confidence

The judge then reviewed the law under paragraph 3.1(9) (the claim in tort). Here, Google argued that the claims for misuse of private information and breach of confidence did not fall within paragraph 3.1(9), because the action is not a tort. The judge acknowledged that there is no general tort of invasion of privacy² and that, strictly speaking, both causes of action were not torts, but were founded in equity. He agreed that misuse of private information had been referred to as a tort in a number of cases, including OBG Ltd v Allan and Douglas v Hello!,³ and that breach of confidence has been treated as analogous to a tort.⁴ He found that he was bound by the decision in Kitetechnology⁵ to hold that breach of confidence is not a tort. Nonetheless, he concluded that there was a distinct, specific tort of misuse of private information, which was a tort within the meaning of paragraph 3.1(9).

Mr Justice Tugendhat went on to consider whether the claim for damages for misuse of private information fell within the meaning of ground 3.1(9)(a) (damage sustained within the jurisdiction). He accepted the claimants’ arguments that damage should be given its natural and ordinary meaning, namely damage which is properly characterised as such and recoverable in the context of the tort in question. Damages had been recoverable in claims for misuse of private information, such as Mosley v News Group Newspapers Ltd⁶ and under the Protection from Harassment Act 1997. In addition, damage is not confined to physical or economic harm and, as in cases of libel, permission may be given to serve out of the jurisdiction. He therefore found that the claimants’ claim fell within ground 3.1(9)(a).

Since condition 3.1(9)(a) had already been satisfied for the claim of misuse of private information, the judge found that it was not necessary to consider whether ground 3.1(9)(b) was satisfied, but in his view the acts complained of were committed within the jurisdiction of England and Wales under 3.1(9)(b). The damage complained of was said to result from what the claimants and third parties saw or might have seen on the screen of each claimant. The judge found that this is what is referred to as “publication” in libel cases, such as the Court of Appeal in Douglas.⁷ As such, the damage was plainly effected in England.

Data protection

The judge then turned to the claimants’ claim for breach of the DPA. Google argued that the damage recoverable under the DPA did not include damages for distress unless there is also financial damage.⁸ Google did, however, recognise the decision of the Court of Appeal in Murray v Express Newspapers Ltd,⁹ in which the court expressed concern that the meaning of damage in s 13(1) of the DPA had been construed too narrowly by the trial judge. Google also argued that the claimants had no good arguable case that their Article 8 rights under the European Convention of Human Rights (ECHR) (right to respect for private and family life) are engaged at present, and that the distress that they allege did not pass the threshold for seriousness in order to engage them.¹⁰ The judge was also referred to a decision of a Delaware court made on 9 October 2013, in which claimants failed on the grounds that their complaints were insufficiently serious to go forward.

The claimants contended that there was a good arguable case that their rights under Article 8 of the ECHR had been engaged. They cited a 2008 Opinion of the Article 29 Working Party (Art 29 WP), an independent advisory body on data protection and privacy in the EU, which stated that “the extensive collection and storage of search histories of individuals invokes the protection under Article 8 of the European Charter of Fundamental Rights”.¹¹ It also stated that an individual’s search history amounts to personal data if the individual to whom it relates is identifiable and that identification of IP addresses could be made by third parties. IP information should therefore be treated as personal data by operators of search engines.¹²

In terms of damages, the claimants argued that the term “moral damage”, or stress and anxiety, was an accepted and recognised EU concept establishing the right to compensation for breach of rights where the rights are non-pecuniary or non-property-based. In addition, the European Commission had published a UK country study and a Reasoned Opinion in June 2010 expressing doubt as to whether liability could be limited to actual pecuniary damage within that jurisdiction.¹³

The judge was persuaded that the claimants had a sufficiently arguable case that the alleged moral damage that they had suffered could amount to sufficiently serious damage to engage their rights under Article 8 of the ECHR. He held that the meaning of damage under s 13 DPA was a question of law which might arise for question at trial. His preliminary view, however, was that damage under s 13 does include non-pecuniary damage.

The judge dismissed Google’s argument that the cost of the litigation would be out of proportion.¹⁴ He was not persuaded that the costs of the case would amount to £1.2 million as Google suggested and, since he had found that there was a good arguable case that the claimants’ Article 8 rights had been engaged, he found that for any breach of Convention right a person has a right to an effective remedy.

On whether the information collected constituted personal data, Google argued that browser-generated data were not personal data for the purposes of the DPA and were in fact anonymous. The judge observed that Google would not collect and collate the browser-generated data unless doing so enabled it to produce something of value, which is the facility for targeting advertising, which yields spectacular revenues. He found that these were not generic complaints, but about particular information and about particular individuals. Accordingly, he held that the claimants had established that that there were sufficiently serious issues to be tried as to whether the relevant information was private or personal.

Conclusion

The judge concluded that the jurisdiction of England and Wales was the appropriate jurisdiction to try the case. The claimants were individuals resident in England, and bringing proceedings in the USA would be very burdensome. Also, the issues of English law raised by Google were complex, and it would be costly for all parties involved for an American court to attempt to resolve them with the help of an expert. As such, it would be better that the issues of English law be resolved by an English court.

Comment

Mr Justice Tugendhat was careful to state that, although he had found that the claimants in this case had a sufficiently strong case to be tried, he has not decided that any other user of the Safari browser in the relevant period would also have one. That said, this case will clearly have raised Google’s blood pressure and that of other non-EU-based search engines, as a final decision in favour of the claimants could open the floodgates for similar claims to be brought by millions of other Google users in England and Wales. Moreover, since misuse of private information has been recognised as a tort, damages, and even exemplary damages, can be awarded as of right, rather than as an equitable remedy and so discretionary. Unsurprisingly, Google has said that it will appeal.

This decision has particular implications in the context of other ongoing activity by the Art 29 WP. In early 2012, Google amalgamated its privacy policies for all its services, which prompted the Art 29 WP to investigate with the aim of checking whether it met the requirements of the European data protection legislation. On the basis of its findings, published on 16 October 2012, the Art 29 WP asked Google to implement its recommendations within four months. Google failed to do so. This prompted the Art 29 WP to refer the case to individual data protection authorities in EU jurisdictions. On 3 January 2014, the French data protection authority (CNIL) found that Google’s privacy policy implemented since 1 March 2012 did not comply with the French Data Protection Act. CNIL ordered Google to comply with the French Data Protection Act within three months and to pay a fine of €150,000.¹⁵

CNIL’s decision is in line with co-ordinated action between a wide variety of European data protection agencies. In its decision CNIL noted that the data protection authorities from Germany, Italy, the Netherlands, Spain and the UK are carrying on their investigations under their respective national procedures and as part of an international administrative co-operation. Other than perhaps in competition law, such co-ordinated action among national authorities is rare. That it should be in data protection, confirms the relevance which Europeans and their legislators attach to the protection of personal data. Spain had already fined Google €900,000, the maximum fine that it is possible to levy on a firm that has broken that nation’s privacy laws.¹⁶ Other European regulators, including the UK Information Commissioner, have yet to make a formal decision.

Although these fines are relatively insignificant, it should be borne in mind that a new draft EU Data Protection Regulation, anticipated to be adopted in 2015, has recently been approved by the Committee on Civil Liberties, Justice and Home Affairs. The Regulation is designed to replace the existing Data Protection Directive (95/46/EC) and to bring European law in line with rapid technological developments and globalisation. The maximum penalty for serious breach of the Regulation in that draft is a fine of up to €100 million or 5% of global annual turnover, whichever is greater.

This is in line with the USA, where recent fines have been on a far greater scale. The US fines were imposed on Google for falsely representing to Safari users that it would not set tracking cookies or serve targeted advertising. Google has (to date) been fined US$39.5 million in penalties and settlements with public authorities in the US, including a US$22.5 million civil penalty issued by the Federal Trade Commission and a US$17 million settlement with 38 US State Attorney Generals. Furthermore, Google is also subject to a significant number of other class actions or concurrent private claims in America.

This decision by the English High Court reflects growing international concern regarding the activities of entities that operate across multiple jurisdictions and have so far been able to remain largely protected from claims by individuals outside their domiciled state. If the English courts ultimately rule in favour of the claimants, that would provide a landmark ruling for internet users in England.

Gillie Abbotts, Associate, Michael Simkins LLP

Article Written for World Data Protection Report

1. Vidal-Hall v Google Inc. [2014] EWHC 13 (QB) (available at http://www.bailii.org/ew/cases/EWHC/QB/2014/13.html).
2. Campbell v MGN Limited [2004] UKHL 22.
3. [2008] 1 AC 1.
4. Seager v Copydex Ltd (No. 2) [1969] 1 WLR 809 and Dowson & Mason Ltd v Potter [1986] 1 WLR 1419.
5. Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 795 at para. 40.
6. [2008] EMLR 679 at paras 216 and 235-236.
7. Douglas v Hello! (No. 3) [2006] QB 125.
8. Johnson v MDU [2007] EWCA Civ 262.
9. [2007] EWCA Civ 446.
10. Ambrosiadou v Coward [2011] EWCA Civ 409.
11. Opinion 1/2008 on data protection issues related to search engines (WP148) at page 7.
12. Ibid., page 8.
13. European Commission Directorate-General Justice, Freedom and Security: Comparative Study of Different Approaches to the New Privacy Challenges, In Particular In the Light of Technological Developments (Contract Nr: JLS/2008/C4/011 -30-CE-0219363/00-28), Country Studies (Douwe Korff, Editor).
14. Jameel v Dow Jones & Co. Inc. [2005] QB 956 at para. 50. 
15. Deliberation No. 2013-420, Commission Nationale de l’Informatique et des Libertés, 3 January 2014 (http://www.cnil.fr/fileadmin/documents/en/D2013-420_Google_Inc_EN.pdf).
16. Agencia Espanda de Proteccion de Datos released this information note regarding its decision on 19 December 2013 (http://goo.gl/QXPriY).