Who: Google Inc, Judith Vidal-Hall, Robert Hann, Marc Bradshaw and the Information Commissioner’s Office
Where: Court of Appeal, High Court of Justice, London
When: March 2015
Law stated as at: 14 April 2015
The Court of Appeal has handed down a judgment which for the first time sheds light on the proper interpretation of key provisions of UK data protection law.
The decision is particularly authoritative because it benefited from submissions on behalf of the Information Commissioner’s Office as Intervener in the proceedings. Its implications could also make life very much more difficult for advertisers who fail to comply with data protection laws.
In the case, Google, Inc of California was trying to persuade the English court to throw out a case brought against it in the London High Court by three English Apple device users (the “Claimants”).
The Claimants claimed damages for distress and other relief. The claim was based on an allegation that Google had misused the Claimants’ private information and broken the Data Protection Act 1998 by using the Claimants’ online browsing data, without their knowledge or consent, to serve “targeted” ads to their devices’ screens.
The underlying conduct occurred in 2011 and 2012 and involved the Claimants’ use of the Safari web browser being tracked by use of a cookie. This was despite Google having made public pronouncements that “do not track” technology was being used to prevent this without an opt in. In subsequent class actions in the US Google denied liability but settled on the basis of multi-million dollar payments to state attorney generals.
In the Claimants’ High Court claim, the court’s permission was needed to serve the proceedings on Google, Inc out of the jurisdiction in California. Google opposed, saying that the California courts were best placed to deal with the Claimants’ case. The English first instance judge disagreed and so did the Court of Appeal.
The key findings of the Court of Appeal were as follows:
1. “misuse of private information” should be recognised as a tort, something which up until that time the authorities had not been clear on. This finding was crucial as it meant that the English courts could have jurisdiction provided the Claimants could also establish that they had suffered “damage” that either was sustained in the High Court’s jurisdiction or resulted from an act committed in its jurisdiction;
2. the UK Data Protection Act 1998 (“DPA”) is incorrect (yes incorrect) when it lays down at section 13 (2) that compensation can only be awarded for distress if pecuniary damage is also established. By imposing this requirement, the DPA had not effectively transposed Data Protection Directive 95/46/EC and the Court must therefore dis-apply s.13 (2);
3. there is a strong case to answer that online behavioural data of the kind collected by cookies (“browser generated information” or “BGI”) is “personal data” even though the browsing individual may not be identifiable from the BGI by name. This is because, the Appeal judges said, it is all about whether the BGI “individuates” the user, in the sense that he or she is singled out and distinguished from all others; and
4. the first instance judge was not “plainly wrong” to have regard to the potential identification of the Claimants by third parties such as members of their families who might use the Claimant’s device, see behavioural ads on the screen and assume they resulted from the Claimant’s personal preferences. The Claimants argued that this was processing of their “personal data” by Google which caused the Claimants distress. Google argued that this knowledge of third parties was not “personal data” for which Google could be responsible as data controller. This was because, applying the DPA definition of “personal data” at s.1 (1), this was neither in Google’s possession nor was it likely to come into its possession. The Appeal judges accepted that the issues raised here were not clear cut or straightforward, but decided that the issue should be determined at trial.
Why this matters:
The case will now proceed in the English High Court, subject to any out of court settlement or any application by Google Inc to the Supreme Court for leave to appeal on jurisdiction, a step they will have to take if they wish to take the jurisdiction issue further as the Court of Appeal refused them leave to appeal.
As it stands, the decision is nothing less than groundbreaking.
Just some of its practical impacts for marketers and particularly the increasing ranks of those using “programmatic advertising” (where, based on BGI, machine to machine technology sees to it that, microseconds after a web user has arrived at a webpage, a realtime, automated bidding process leads to a targeted ad from the highest bidder appearing on the user’s screen) are:
1. since so many of the leading players in the behavioural and programmatic advertising ecosystems are US-based, the jurisdictional findings fundamentally alter the risk matrix for businesses who might otherwise have assumed they were effectively immune from serious challenge;
2. the finding that s. 13 (2) of the DPA is wrong in requiring that financial damage must be established before compensation for distress can be awarded for breaches of the DPA potentially opens up the floodgates for all marketers who might otherwise have imagined their only real exposure was to enforcement action by resource-challenged regulators;
3. the decision that there is a strong case to answer that BGI is “personal data” potentially renders redundant at a stroke well established behavioural marketers’ arguments that IP addresses are not personal data, that cookies do not capture “personal data” and that therefore the only regulatory hurdles to be surmounted in this context are the need to obtain “implied consent” to using cookies as per regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 20013 as amended and, where third party behavioural tracking technology is in play, the “notice and consent” rules of Appendix 3 to the CAP Code of Non-broadcast Advertising, Sales promotion and Direct Marketing; and
4. the corollary of #3 is that if BGI is “personal data” and it is not going to be possible to prevent “sensitive personal data” being processed along the way, “explicit consent” could be needed for all online behavioural advertising, programmatic or otherwise, without the need to wait for EU data protection reforms due in force in 2017.