The case arose out of Google's "Safari workaround". Apple's Safari web browser was supposed to block cookies by default, unless the user opted to accept them. However Google exploited a loophole to enable its DoubleClick Cookie to circumvent this and track Safari users' browsing behaviour in order to deliver targeted advertisements. Google did not make its Opt Out Cookie available to Safari users with Browsers, and publicly stated that because Safari was set by default to block third party cookies, the default privacy settings would have the same effect as the Opt Out Cookie if the user didn't change them. Following the discovery of Google's Safari workaround, three aggrieved Apple users who obviously valued their privacy brought this case in the English courts and sought permission to serve proceedings on Google in California.
Google objected to the jurisdiction of the English courts, and this case therefore concerned preliminary issues as to whether the claimants would be allowed to pursue their case against Google. The case has not been finally decided.
The data protection points that were decided by the Court of Appeal were:
- The claimants could claim damages for the distress they had suffered without having to show any pecuniary loss.
- There was a serious issue to be tried as to whether the browser-generated information ("BGI") was personal data, even though it did not identify the users by name.
Point 1 is important as it potentially gives some real teeth to the Data Protection Act. The Act can be enforced by the UK Information Commissioner taking action against the offending data controller or by the affected data subjects claiming damages direct under section 13 of the Data Protection Act 1998. Whilst the Information Commissioner an impose serious penalties, his is a public office with limited resources which realistically will concentrate on the most serious offenders. The data subjects could number many thousands, and if they could all bring claims for a data breach (perhaps by a class action or if the claims farmers get involved) this could be a serious potential liability for a data controller in terms of damages and legal costs.
The problem with such claims is that the data users often do not suffer any financial loss. The real damage they suffer is distress due to the invasion of their privacy. But section 13(2) of the Data Protection Act provides that in order to claim damages for distress the claimant must also have suffered "damage by reason of the contravention" or the data processing must have been for one of the "special purposes" (being journalism, artistic or literary purposes). The Google claimants were not seeking any damages for financial loss and the special purposes did not apply.
The Court of Appeal decided to invoke Article 47 of the Charter of Fundamental Rights of the European Union (the right to an effective remedy and a fair trial) in order to "disapply" Section 13(2) because it denied the claimants an effective remedy for the breach of their rights under Articles 7 (the right to respect of private and family life, home and communications) and 8 (the right to the protection of personal data). The claimants were therefore free to pursue claims for damages for distress alone.
Whilst this is a significant development (and shows the primacy of EU over domestic law, at least where fundamental rights are concerned), it doesn't make that much difference in practice, as the courts had previously applied their own "workaround" to s13(2) by first awarding nominal damages of £1 and using that to ground a claim for distress under s13(2) - as the cases cited in the judgment demonstrate. The real difference in my opinion is the publicity this high profile case may give to the possibility of distress claims being made. Companies that previously took a relaxed attitude to their use of cookies may now wake up to the potential liabilities they may incur, and aggrieved users may be more willing to "have a go" at them. However damages for distress are still likely to be modest (a few hundred pounds is more likely than thousands), so the costs of pursuing claims will still be a significant deterrent to most claimants.
Point 2 is important as it goes to the very issue of what is "personal data". Many websites and apps track users' behaviour in order to deliver their service or provide more personalised results, and they are not always explicit about obtaining their users' informed consent as to what is going on behind the scenes. Section 1 of the Data Protection Act defines personal data as relating to an individual who can either (a) be identified from the data itself or (b) is "identifiable" from the data and other information which is in the possession of, or is likely to come into the possession of the data controller. The Court of Appeal emphasised that a person does not have to be identified by name - there may be other "identifiers" that single out the individual and distinguish them from others. Nor did it make any difference that Google did not actually identify the users by putting the data together with other information in its possession (e.g. gmail accounts). But the Court did not make a final decision on these points. All it decided were that these issues were "not clear-cut or straightforward" in relation to the BGI in the case, and that the matter should therefore proceed to a trial. We must therefore wait for the final decision (assuming it is not settled beforehand or appealed afterwards) for more guidance on this issue. However the judgment does give a clear indication that, however the law may apply in this particular case, "identified" and "identifiable" do not just mean by name. The providers of websites and apps should bear this in mind - especially given that claims for breach may now have more teeth.
No comments:
Post a Comment