Should privacy protection extend to compensate me for ‘distress’ suffered from the aggregation of my browser-generated information without my consent, so as to enable third-party advertising to be targeted at me – which in turn is viewable by others, on my device screen?
In March 2015, the English Court of Appeal ruled that three individuals may bring claims against Google for misuse of their private information and breach of the UK’s Data Protection Act 1998 (DPA). Although this decision only arose because of the need to serve a claim form in the US outside English jurisdiction, it addresses a considerable number of contentious questions surrounding online behavioural advertising and the scope of UK data protection rules and other areas of English law related to the protection of online users’ privacy interests.
First for a brief summary of the facts, the England-resident individuals are pursuing joint proceedings against Google for circumventing the security setting of their Apple’s internet-accessing devices so it could install cookies on their ‘Safari’ internet browser. Since 2011, all versions of Safari made by Apple have been set by default to block third party cookies, that is, cookies planted by parties other than the owner of the website a user visits. However, Apple implemented a number of specific exceptions so as not to prevent the use of certain popular web user-functionality – such as Facebook’s ‘like’ button – on its browser. Google is said to have exploited one of those exceptions, enabling it to track the users’ online behaviour when they used various Google searches during a 9-month period on their Apples devices, despite publicly stating that such activity could not be conducted unless Safari users gave their consent.
More particularly, the allegations centre upon the effect that Google’s ‘DoubleClick ID’ cookies –a type of third-party cookie collecting information from online users who visit websites on which certain subscribing advertisers are present – were stored on users’ devices despite the default privacy settings. The users argue that this allowed the internet giant to collect and ultimately aggregate browser-generated information (BGI) about them – including potentially very sensitive personal information about their interests and pastimes – without their knowledge or consent and to their detriment. Furthermore, because the cookie value of a DoubleClick ID cookie is unique, Google could aggregate the information it received from different advertisers about an individual user’s visit to non-Google websites to create a very detailed profile of their browsing habits. Consequently, the group of users are seeking damages and an account of profits against Google. The damage suffered is claimed to arise, not only be virtue of the fact that their BGI was collected by Google without consent, but also because that data was processed specifically to enable advertising to be targeted at users on their devices. In turn, readers of their device screens could then could infer connections between characteristics associated with displayed online targeted advertising and project them to the users (rightly or wrongly).
To understand the importance of the issues discussed in this ruling, we need to go back to 2013 when the claimants were granted permission to serve their claim form upon Google in the US. [To note, Google settled with the Federal Trade Commission and state attorneys general in the US for more than $22.5 million and $17 million respectively.] Google applied to the High Court later that year for an order declaring that an English court has no jurisdiction to try the claims and should therefore set aside service.
Notwithstanding, the High Court ruled in 2014 that the claimants did indeed have a good arguable case for the purposes of the rules governing service out of the jurisdiction, that there was a serious issue to be tried in respect of the merits of each claim, and that England was the appropriate forum to bring the claim. Some of the most interesting parts of the High Court’s reasoning related to the first two factors are summarised below.
Claims put forward on the facts
The High Court considered the following claims under English law:
- Misuse of private information – The High Court confirmed that the claimants have an arguable claim against Google under the tort of misuse of private information (a tort that permits damages being awarded as of right). This tort requires that information is wrongly disclosed by another about which a person has a reasonable expectation of privacy (either because the information is evidently private, or because it would give substantial offence to a person of ordinary sensibilities placed in similar circumstances).
- Breach of data protection rules – The High Court also found that the users might have a claim against Google under section 13 of the DPA, which entitles individuals to compensation from data controllers for ‘damage’ caused by any breach of the DPA in relation to the processing of their personal data.
In relation to both causes of action, the High Court discussed the concept of ‘damage’ that the claimants argued that they have suffered, and therefore were entitled to be compensated for, because of Google’s actions. For example, the High Court dismissed Google’s claim that damages for distress was only recoverable under the DPA if pecuniary loss had also been suffered (according to section 13(2)). The Judge (Tugendhat J) took the view that ‘damage’ should be given its natural and ordinary meaning and each of the claimants had a sufficiently arguable case – in line with Article 23(1) of the Data Protection Directive – that they had suffered sufficiently serious damage because of Google’s actions, despite not alleging significant physical or economic harm.
Serious legal issues to be tried on the merits
The High Court ruling also found that there was a serious issue in law to be tried on the legal and factual merits of the claim, countering arguments by Google that:
- The BGI collected about the claimants was not private when looked at in isolation as each individual piece of information was anonymous and the aggregation of those pieces did not make the information private; and,
- The BGI was not ‘personal data within the meaning of the DPA because Google kept it segregated from any information held by it from which a user was potentially ‘identifiable’ by name to it (e.g. by reference to the account-subscriber information provided to set up a Gmail email address).
Tugendhat J discounted the first argument on the basis that “it was unlikely that Google would collect and collate information unless doing so enabled it to produce something of value”. Regarding the second argument, the fact that Google itself did not identify any of those from whom it collected information did not change that fact that some claimants might have been identifiable, agreed the Court, such as to third-party viewers of their devices. See Article 2(a) and Recital 26 of the Data Protection Directive – as well as section 1(1) of the DPA – on the importance of the notion of ‘identifability’ to the legal definition of personal data. In other words, identifiability of the complainants from data relating to them by virtue of Google’s actions was deemed potentially expandable to identifiability by others viewing their device screens as persons with characteristics of a type that could be inferred from the targeted advertisement displayed there. In other words, it was arguable that the BGI could still be personal data even if Google did not know who it related to and Tugendhat J felt that these questions should be settled at trial.
The High Court’s findings were upheld on each of these points upon Google’s subsequent appeal of that ruling to the Court of Appeal. In particular, the Court of Appeal concluded that Article 23 of the Data Protection Directive does not distinguish between pecuniary and non-pecuniary loss and that it would be strange to hold otherwise, particularly in light of the fact that privacy rights enforcement under Article 8 of the ECHR permits recovery of non-pecuniary loss. On the issue of whether there is a serious issue to be tried that the BGI is personal data under the DPA, the Court of Appeal agreed with the High Court that the issues raised were not clear-cut and the issue was best left for full argument at trial. For example, the Court of Appeal was also not persuaded by Google’s arguments that it did not intend to amalgamate the other information that it held with the BGI and could not, therefore, identify the individuals from the BGI alone. The Court deliberated upon the claimants’ counter-arguments that the BGI enabled Google to “single out” users and this was sufficient for the claimants to be deemed identifiable and found, in any event, that an approach that takes into account the knowledge of third parties in relation to the potential identification of the claimants was not “plainly wrong”.
The case will now proceed to full trial unless Google applies to, and is successful in front of, the final avenue of appeal under English law, the Supreme Court. In the meantime, the judgements are ground-breaking to the extent that they question long-held beliefs about the way in which the right to privacy and data protection have been viewed by the English courts and the law’s treatment of the collation of (often highly private) information through clandestine online tracking processes and subsequent use of that information. A decision that damages for privacy harm can include emotional distress alone could have far-reaching effects on compensation claims in the UK (see, e.g., the Moseley case discussed in Sophie’s recent post), including opening the door to more English lawsuits regarding misuse of private information and DPA actions. While individual claims related to distress from, say, other Safari users may not materialise because of the modest amounts of compensation being claims, the use of collective damages actions by consumer groups (such as ‘Which?’) for privacy infringements would undoubtedly become more popular in the UK. Online advertisers and service providers have another reason to view this case with wariness if pseudonymised behavioural data collected by third-party cookies – i.e. data singling out an individual but not connected to other information directly identifying that individual – is deemed personal data. This would introduce a wider definition of personal data – and, thus, the ambit of data protection rules – than ever previously acknowledged by the English courts.