Wednesday 29 April 2015

Has Data Protection just got more teeth?

The recent Court of Appeal case of Google Inc v Vidal-Hall & Others made some important decisions on data protection issues.  But how much difference will they actually make in practice?

The case arose out of Google's "Safari workaround". Apple's Safari web browser was supposed to block cookies by default, unless the user opted to accept them. However Google exploited a loophole to enable its DoubleClick Cookie to circumvent this and track Safari users' browsing behaviour in order to deliver targeted advertisements. Google did not make its Opt Out Cookie available to Safari users with Browsers, and publicly stated that because Safari was set by default to block third party cookies, the default privacy settings would have the same effect as the Opt Out Cookie if the user didn't change them. Following the discovery of Google's Safari workaround, three aggrieved Apple users who obviously valued their privacy brought this case in the English courts and sought permission to serve proceedings on Google in California.

Google objected to the jurisdiction of the English courts, and this case therefore concerned preliminary issues as to whether the claimants would be allowed to pursue their case against Google. The case has not been finally decided.

The data protection points that were decided by the Court of Appeal were:
  1. The claimants could claim damages for the distress they had suffered without having to show any pecuniary loss.
  2. There was a serious issue to be tried as to whether the browser-generated information ("BGI") was personal data, even though it did not identify the users by name.
Point 1 is important as it potentially gives some real teeth to the Data Protection Act.  The Act can be enforced by the UK Information Commissioner taking action against the offending data controller or by the affected data subjects claiming damages direct under section 13 of the Data Protection Act 1998.  Whilst the Information Commissioner an impose serious penalties, his is a public office with limited resources which realistically will concentrate on the most serious offenders.  The data subjects could number many thousands, and if they could all bring claims for a data breach (perhaps by a class action or if the claims farmers get involved) this could be a serious potential liability for a data controller in terms of damages and legal costs.

The problem with such claims is that the data users often do not suffer any financial loss.  The real damage they suffer is distress due to the invasion of their privacy.  But section 13(2) of the Data Protection Act provides that in order to claim damages for distress the claimant must also have suffered "damage by reason of the contravention" or the data processing must have been for one of the "special purposes" (being journalism, artistic or literary purposes).  The Google claimants were not seeking any damages for financial loss and the special purposes did not apply.

The Court of Appeal decided to invoke Article 47 of the Charter of Fundamental Rights of the European Union (the right to an effective remedy and a fair trial) in order to "disapply" Section 13(2) because it denied the claimants an effective remedy for the breach of their rights under Articles 7 (the right to respect of private and family life, home and communications) and 8 (the right to the protection of personal data).  The claimants were therefore free to pursue claims for damages for distress alone.

Whilst this is a significant development (and shows the primacy of EU over domestic law, at least where fundamental rights are concerned), it doesn't make that much difference in practice, as the courts had previously applied their own "workaround" to s13(2) by first awarding nominal damages of £1 and using that to ground a claim for distress under s13(2) - as the cases cited in the judgment demonstrate.  The real difference in my opinion is the publicity this high profile case may give to the possibility of distress claims being made.  Companies that previously took a relaxed attitude to their use of cookies may now wake up to the potential liabilities they may incur, and aggrieved users may be more willing to "have a go" at them.  However damages for distress are still likely to be modest (a few hundred pounds is more likely than thousands), so the costs of pursuing claims will still be a significant deterrent to most claimants.

Point 2 is important as it goes to the very issue of what is "personal data".  Many websites and apps track users' behaviour in order to deliver their service or provide more personalised results, and they are not always explicit about obtaining their users' informed consent as to what is going on behind the scenes.  Section 1 of the Data Protection Act defines personal data as relating to an individual who can either (a) be identified from the data itself or (b) is "identifiable" from the data and other information which is in the possession of, or is likely to come into the possession of the data controller.  The Court of Appeal emphasised that a person does not have to be identified by name - there may be other "identifiers" that single out the individual and distinguish them from others.  Nor did it make any difference that Google did not actually identify the users by putting the data together with other information in its possession (e.g. gmail accounts).  But the Court did not make a final decision on these points.  All it decided were that these issues were "not clear-cut or straightforward" in relation to the BGI in the case, and that the matter should therefore proceed to a trial.  We must therefore wait for the final decision (assuming it is not settled beforehand or appealed afterwards) for more guidance on this issue.  However the judgment does give a clear indication that, however the law may apply in this particular case, "identified" and "identifiable" do not just mean by name.  The providers of websites and apps should bear this in mind - especially given that claims for breach may now have more teeth.


Tuesday 7 April 2015

Consumer Rights re Digital Content

It has long been a tricky legal question whether software counts as "goods" or "services".  The distinction matters for a number of purposes, including that different terms are implied by law in contracts for the supply of goods and contracts for the supply of services.

The new Consumer Rights Act 2015 (the "Act") sidesteps the question by creating an entirely new category of "digital content" and stating exactly what terms are implied into a contract for the supply of digital content.  However, the Act only applies to a contract between a "trader" and a "consumer"and the key terms are only implied if the consumer pays for the digital content.  So for business to business ("B2B") contracts or contracts for genuinely free content, the old law still applies.  But where the Act does apply, businesses will need to review their terms and conditions.

The relevant provisions of the Act are expected to come into force on 1 October 2015 and there is some excellent guidance produced by the Trading Standards Institute here, which I will not repeat in detail.

In summary "digital content" is widely defined as "data which are produced and supplied in digital form", which the guidance explains includes:
  • computer games
  • virtual items purchased within computer games
  • television programmes
  • films
  • books
  • computer software
  • mobile phone apps
  • systems software for operating goods - for example, domestic appliances, toys, motor vehicles, etc.
There are implied terms that the digital content must be:

  • of satisfactory quality
  • fit for a particular purpose
  • as described
These terms are subject to some limitations, which are explained in the guidance.  The consumer's remedies for breach of these terms are initially the right to repair or replacement, and then the right to a price reduction if this is not practical.

The trader cannot contract out of these implied terms.  This all sounds like a big change, but the reality is that the scope to contract out of liability to consumers is already severely limited by the Unfair Terms Act 1977 and the Unfair Terms in Consumer Contracts Regulations 1999, and the sort of digital content covered would probably have been considered "goods" under the existing law and therefore subject to equivalent implied terms and remedies in any event.  The Act therefore really just clarifies the legal position - which is important as it helps prevent unscrupulous traders taking advantage of the legal "grey area" to deny consumers their rights and deter them from seeking a remedy.

Standard terms and conditions for business to consumer ("B2C") contracts will need to be reviewed for consistency with the new law, especially if it was assumed that the terms implied in a contract for the sale of goods did not apply.  If one of the exceptions or limitations described in the guidance are applicable, it would be helpful to spell this out.  For example the guidance explains that "Most computer systems' software, games and apps have minor defects that are corrected over time with fixes or upgrades. Therefore a 'reasonable person' might expect the defects to be present and judge any items containing them to be of satisfactory quality."  This is something that suppliers may well wish to highlight in their Ts & Cs.

There is more scope for excluding liability in a B2B contract, but standard terms must still satisfy the test of "reasonableness" under the Unfair Terms Act 1977.  Will a statement that no term shall be implied as to satisfactory quality, fitness for purpose or correspondence with description be considered "reasonable" by a Court given that such terms are now clearly implied in consumer contracts, or will a more nuanced approach to the drafting be more likely to be upheld?