UK court has Google in crosshairs over Safari tracking
The relationship between the user and Google has always been a symbiotic one - the web company provides a plethora of free services to the consumer and in turn the company gets to access and collect personal data about the user in order to sell to advertisers.
The consumer is given products in order to become the product. This relationship is one of trust and to ensure balance the consumer is given a litany of controls to block Google’s tentacles from going too far into the masses of data that accumulate. Some controls are manual, such as the choice to delete emails as opposed to archiving. Other controls are built into the architecture – like the ability to block cookies from entering into one's computer.
Cookies are small tracking devices that help marketing companies deliver targeted advertising to the user. As a result, when Google circumvents the controls that are hardwired into browsers, breaking the cardinal rule about trust and damaging that symbiotic relationship, lots of bad things can happen. Bad like bad, not bad meaning good. When a group of Apple users got together and sued Google for doing exactly that, it should be foreseeable that a court may rule against them. But this is the internet, where nothing is foreseeable.
Take, for example, Google's challenge to the the court's authority to even hear the case. No-one foresaw the court taking the rare step of inventing a tort to ensure the court has the jurisdictional authority to rule on the matter.
Here we are again. An internet company being sued in the UK offers the defence that the UK's rules on privacy do not apply to a company with its servers in California. But, a UK court claims that the case does fall within the court’s jurisdiction and the case can proceed because Google is alleged to not only have misused private information and violated the country’s Data Protection Act, but breached the complainer’s confidence in doing so.
The case is relatively simple, and to be fair to Google there is still a long way to go. The claimants needed permission to serve proceedings on Google, which is based in the USA. They succeeded in getting a court to grant them that permission and serve their claim forms. As a result of this, Google sought to have that service nullified by seeking an order declaring that the English court had no jurisdiction to try these types of claims.
The claimants argued that Google (a) misused their private information, (b) breached their confidences and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. The claimants also sought damages and injunctive relief.
With regards to damages, the court stated that “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each claimant’s device”.
It is important to note that “what each of the claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that claimant which was detrimental”. This is an important aspect of the ruling as there is a rule that there must have been some financial loss as a result of a DPA breach. If this rule is overturned and a new tort of misusing private information is validated by a higher court it could revolutionise litigation for personal data breaches in the UK.
The court told Google: “We reject your argument that would require UK citizens to travel to California to take a privacy case,” and, of course, there is a moral argument that says Google should not be able to evade responsibility for privacy violations simply because of where its servers are located. But the question will remain about whether or not the US courts will validate any judgement that arises out of the appeal.
Had Google been successful in its claim for a change in jurisdiction it would have meant that the Californian definition of “Personal Identifiable Information” would apply to UK citizens. Instead, it is arguable that the personal data in the case was processed in the UK, since the data subjects whose privacy has been invaded reside in the UK, and since Google is established in the UK it is only fit and proper that the case should be subject to the UK’s Data Protection Act.