30 March 2015

Google on the rack for Do Not Track

Google has suffered a double whammy at the hands of the Court of Appeal in a judgment with potentially far-reaching implications for the UK's data protection and privacy landscape.

The case concerned Google's controversial use of code in the period between summer 2011 and February 2012 which had the effect of bypassing the privacy settings of Apple's Safari browser.  

By default, those settings prevented the installation of third-party cookies. However, Google had developed a workaround which allowed Doubleclick tracking cookies for its AdSense advertising network to be placed on users' devices, which in turn led to thirty-party ads being served up to those devices tailored to users' browsing habits.

In the US, the practice led to a record fine against Google of $22.5m by the Federal Trade Commission.

And in the UK, 3 individuals launched a test case against the search giant, claiming, among other relief, damages for distress and anxiety. In particular, the Claimants asserted they had suffered on finding out that ads were being targeted at them, or that, as a result of such targeted ads, their personal preferences (as disclosed by their browsing habits) might come to the attention of family members or friends using their devices or seeing the targeted ads on their screens.  

The High Court had already ruled last year that Google, Inc. (a US corporation) could be served out of the jurisdiction and, therefore, sued in England: at least in respect of claims for misuse of private information and breach of the duty to comply with the Data Protection Act 1998 (DPA),   

The judge did not decide the merits of the claims, but he did decide there were serious issues to be tried which permitted the claims to proceed. In respect of the DPA claims, those issues included (1) whether the type of information collected by Google was personal data under the DPA, and (2) whether damages for distress and anxiety  could be claimed in the absence of any financial loss.

And the Court of Appeal has now upheld that decision, throwing out Google's appeal.  

The Court agreed there was a serious issue to be tried as to whether browser-generated information, such as IP addresses, could be personal data under the DPA. 

But the Court went one step further in relation to the question of damages. Notwithstanding that the DPA expressly provides that damages for distress cannot be claimed in the absence of financial loss, the Court ruled that this provision was incompatible with EU law and, at a stroke, disapplied it.

Whether or not the 3 individuals in the test case will establish distress remains to be determined. So too does the amount of damages, if any, bearing in mind none of the individuals claim to have been shunned or discriminated against as a result of others viewing 3rd party ads on their devices. 

However, the implication of this latest decision is that it has now become significantly easier to bring a claim for damages under the DPA without the need to prove financial loss, and that the floodgates may now open. It is not just Google in the firing line, but any other business who has failed to process personal data fairly and lawfully under the DPA.

Watch this space.

No comments:

Post a Comment