Posted by Alexander Hanff on March 27, 2015.
Where to start…
For those who are unaware, in February 2012 Jonathon Mayer (a researcher at Stanford’s Center for Internet and Society) discovered that Google were circumventing privacy settings in Apple’s Safari web browser.
Mayer alleged that Google deliberately exploited a feature in Safari to bypass privacy settings designed to block third party cookies and referenced Google’s own web site which instructed users to use the setting if they wished to block Google tracking cookies.
In February 2012, the UK’s Information Commissioner’s Office announced they were investigating whether or not Google had broken UK law – specifically the Data Protection Act and the Privacy and Electronic Communications Regulations but to date have failed to take any enforcement action against Google.
In August 2012, the Federal Trade Commission (FTC) announced that Google had agreed to pay a fine of $22.5M for violation of its Control Order (a legal commitment placed on Google by the FTC for previous privacy violations) – the largest ever fine issued by the FTC for breach of a control order.
In January 2013, Olswang LLP sent a Letter Before Action to Google UK and Google US informing them of their intent to file a lawsuit on behalf of 12 claimants in the UK. Olswang stated the case would become a Group Action (similar to class action in the US) and invited all members of the UK public who were using the Safari Browser during the six month period (September 2011 – February 2012), to come forward and join the action. With an estimated 10 million Safari users in the UK at the time, this group action had the potential of becoming the largest ever group action filed in the UK and furthermore the largest privacy complaint ever to be heard in UK courts.
However, given that Google Inc. are based in California in the United States, Olswang first had to seek the approval of the High Court in the UK to issues proceedings against Google Inc. in the UK courts. Google argued that because the data was processed in the United States, they were beyond the jurisdiction of the UK courts. On January 16th 2014 Mr. Justice Tugendhat ruled in favor of Olswang and created a new Tort under UK law for the Misuse of Private Information.
As expected Google moved to appeal the decision and this week the Court of Appeals in the UK issued their judgment on the matter. I could end the article here explaining that Google lost the appeal and that UK citizens are now free to sue Google for the circumvention of Safari privacy settings as per the original intent of Olswang. But the judgment issued by the Court of Appeal is perhaps one of the most important rulings for privacy and data protection in the UK since the Data Protection Directive (95/46/EC) was transposed into UK law. So I would like to talk more about the significant points of the judgment which are set to change the way privacy cases are handled in the UK from this point forward.
Before doing that, let me also acknowledge that it is highly likely Google will apply to the Supreme Court in the UK to appeal the judgment – however, given the comprehensive and incredibly strong arguments issued by the Court of Appeal, it is my personal opinion that Google will lose such a challenge in the Supreme Court as well.
Now to the judgment…all 49 pages of it.
Paragraph 1 of the Judgment perfectly summarises the case so I will simply quote it verbatim:
The appeal in this case raises two important issues of law. The first is whether the cause of action for misuse of private information is a tort, specifically for the purposes of the rules providing for service of proceedings out of the jurisdiction. The second is the meaning of damage in section 13 of the Data Protection Act 1998 (the DPA); in particular, whether there can be a claim for compensation without pecuniary loss.
and Paragraph 13 lists the specific points of the appeal:
- Whether misuse of private information is a tort for the purposes of CPR PD 6B para 3.1(9);
- The meaning of damage in section 13 of the DPA, in particular, whether there can be a claim for compensation without pecuniary loss;
- Whether there is a serious issue to be tried that the BGI is personal data under the DPA; and
- Whether in relation to the claims for misuse of private information and under the DPA there is a real and substantial cause of action.
Whether misuse of private information is a tort for the purposes of CPR PD 6B para 3.1(9)
In short, Google’s QC (Mr. White) argued that the original judgment by Mr. Justice Tugendhat which created the Tort for Misuse of Private Information was wrong under law and that the Court were bound by an earlier judgment which classified the matter as a Breach of Confidence as opposed to Misuse of Private Information.
The Court assessed Mr. White’s claims and looked at various case law including Douglas vs Hello! (which Mr. White was relying on) and concluded:
We accept that the decision in Kitechnology would be binding on us if the cause of action for misuse of private information were an action for breach of confidence. But for the reasons already given, it is not.
We come back then to the question we have to decide. Against the background we have described, and in the absence of any sound reasons of policy or principle to suggest otherwise, we have concluded in agreement with the judge that misuse of private information should now be recognised as a tort for the purposes of service out the jurisdiction. This does not create a new cause of action. In our view, it simply gives the correct legal label to one that already exists. We are conscious of the fact that there may be broader implications from our conclusions, for example as to remedies, limitation and vicarious liability, but these were not the subject of submissions, and such points will need to be considered as and when they arise.
This is particularly important because it deals with out of jurisdiction issues – that is to say the right of UK citizens to file suit against Google in the UK as opposed to the US, which as you can imagine most people would never be in a position to do.
The meaning of damage in section 13 of the DPA, in particular, whether there can be a claim for compensation without pecuniary loss
The discussion and decision on this point of the case is without doubt some of the most significant interpretation of law with regards to data protection and privacy that we have ever seen in the UK. Google argued that under the Data Protection Act there was no support for damages as a result of distress (except for some very special circumstances explicitly mentioned in the Act) and that because the plaintiffs had suffered no material damage and did not meet the requirements of the special circumstances for distress that there was no merit in the case and therefore it should be dismissed.
However, the Court of Appeal not only disagreed, but rewrote UK law on the grounds that the Data Protection Act was not compatible with the Data Protection Directive (95/46/EU):
We cannot, therefore, interpret section 13(2) compatibly with article 23.
They went on to explain that despite the fact that Parliament had made very explicit reasons for the types of damage that were covered – they had provided no reasoning for the exclusion of general distress or “moral damage” and as such the Court had no choice than to take the position that the DPA was not compatible and that a judgment must be made in line with Article 23 of Directive 95/46/EC with support from Article 47 of the EU Charter of Fundamental Rights.
The significance of this decision can not be overstated. As a privacy advocate, one of the biggest hurdles I have been faced with when filing complaints with the Information Commissioner’s Office (ICO) in the UK has been that of damage. In every single case I have filed with the relevant authorities in the UK the decision to take no action has always hinged on the argument that there was no damage. In cases I have filed with ICO (Google’s WiFi scandal, Phorm and many others) they have always used this argument of damage – the same with the Crown Prosecution Service (CPS) over a criminal complaint I filed against Phorm for criminal breaches of Regulation of Investigatory Powers Act (RIPA) – again the CPS argued it would not be in the public interest to pursue a prosecution because there was no “damage”.
With this decision from the Court of Appeal, we now have a precedent that states simply that a misuse of private information is in and of itself a damage – and this is what I have been arguing for nearly a decade. The mere act of abuse of a fundamental right is a damage because whether or not there is any material loss fundamental rights are an essential foundation of our society and any attack on those rights, damages society at a core level.
The decision also acknowledges the “horizontal effect” which I first wrote about in a paper on Phorm back in 2008 – the Court of Appeals argues that:
As this court stated in Benkharbouche at paras 69 to 85, (i) where there is a breach of a right afforded under EU law, article 47 of the Charter is engaged; (ii) the right to an effective remedy for breach of EU law rights provided for by article 47 embodies a general principle of EU law; (iii) (subject to exceptions which have no application in the present case) that general principle has horizontal effect; (iv) in so far as a provision of national law conflicts with the requirement for an effective remedy in article 47, the domestic courts can and must disapply the conflicting provision; and (v) the only exception to (iv) is that the court may be required to apply a conflicting domestic provision where the court would otherwise have to redesign the fabric of the legislative scheme.
The impact of this decision is far reaching for UK citizens and could see the dawn of a new movement to enforce privacy rights against big data companies such as Google, in the future. It will be interesting to see how the Information Commissioner’s Office react to this decision.
Whether there is a serious issue to be tried that the BGI is personal data under the DPA
The matter of damages was not the only game changing decision in the Judgment. Another issue we have faced in the UK has been the incredibly strict definition of Personal Data that has been used by the Information Commissioner’s Office with regards to privacy cases. Until now, it has been the position of ICO that personally identifiable information is restricted to that which can be used to identify a person by name. ICO will argue this is not the case, but the fact is every case that has been brought before them (to my knowledge) where IP address have been used as the identifier, have been discarded by ICO on the grounds that they were not personally identifiable. This is despite official opinion issued by the Article 29 Working Party (of which ICO is a member) and Court of Justice of the European Union decisions to the contrary (SABAM vs Scarlet, SABAM vs Netlog).
The Court of Appeals have displayed an incredibly acute understanding of this issue in their decision and have ruled based on the Article 29 Working Party Opinion 4/2007:
We think the case that the BGI constitutes personal data under section 1(1)(a) of the DPA is clearly arguable: it is supported by the terms of the Directive, as explained in the Working Party’s Opinion, and the decision of the ECJ in Lindqvist. The various points made by Mr White in response do not alter our view. The case for the claimants in more detail is this. If section 1 of the DPA is appropriately defined in line with the provisions and aims of the Directive, identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user. The BGI singles them out and therefore directly identifies them for the purposes of section 1(1)(a) of the DPA having regard to the following:
- BGI information comprises two relevant elements: (a) detailed browsing histories comprising a number of elements such as the website visited, and dates and times when websites are visited; and (b) information derived from use of the ‘doubleclick’ cookie, which amounts to a unique identifier, enabling the browsing histories to be linked to an individual device/user; and the defendant to recognise when and where the user is online, so advertisements can be targeted at them, based on an analysis of their browsing history.
- Taking those two elements together, the BGI enables the defendant to single out users because it tells the defendant (i) the unique ISP address of the device the user is using i.e. a virtual postal address; (ii) what websites the user is visiting; (iii) when the user is visiting them; (iv) and, if geo location is possible, the location of the user when they are visiting the website; (v) the browser’s complete browsing history; (vi) when the user is online undertaking browser activities. The defendant therefore not only knows the user’s (virtual) address; it knows when the user is at his or her (virtual) home.
The Court of Appeal believe there is indeed a need to address this at trial and if the trial determines that the Article 29 Working Party definition is correct, it will change the way privacy cases are handled in the future – expanding the current definition to include any information which can be used to single out an individual amongst others – as opposed to being able to directly name them.
Of course it is difficult to see how the trial judge could come to any other decision as the mentioned case law in SABAM vs Scarlet and SABAM vs Netlog (in which the CJEU confirmed IP addresses to be personally identifying) should be binding and when coupled with the Article 29 Working Party opinion – it would seem ludicrous for a decision which doesn’t follow this path.
Whether in relation to the claims for misuse of private information and under the DPA there is a real and substantial cause of action
Now typically, damages awarded for privacy claims are insignificant and this was the argument that Google brought forward along with their claims that such a case would cost them $1.2M in legal fees. The Court of Appeals was quick to dismiss such claims:
the damages may be small, but the issues of principle are large.
Interestingly, the Court raised another very valid, topical and intelligent point with regards to the importance of the rights of the individual and how the misuse of private information can be damaging citing an Article 29 Working Party opinion from 2008:
“The extensive collection and storage of search histories of individuals in a directly or indirectly identifiable form invokes the protection under article 8…An individual’s search history contains a footprint of that person’s interests, relations and intentions. These data can be subsequently used both for commercial purposes and as a result of requests and fishing operations and/or data mining by law enforcement authorities or national security services.”
Given the revelations of Edward Snowden over the past 20 months, this observation could not be more relevant especially given Google’s alleged participation in the National Security Agency’s (NSA) PRISM programme which allegedly accessed Google’s (and others) infrastructure to obtain vast amounts of data on European citizens.
I have been following the case since it began and have run a web site for Olswang to help raise awareness and spread news about the lawsuit as well – so I am incredibly happy to see this ruling from the Court of Appeals. Not just because it paves the way for UK citizens to seek justice for the intentional abuse of their privacy in the Safari cookies matter, but because of the impact this ruling will have on future privacy cases in the UK. ICO are known as a toothless regulator and I have often referred to them as being under regulatory capture – this judgment *should* make it much easier for UK citizens to force ICO to take action in cases where they have historically refused to. It has confirmed Misuse of Private Information as a Tort; it has rewritten UK law to force compliance with the Data Protection Directive (Article 23) on the bases of Moral Damage (distress) and it has rightfully opened up the opportunity to expand the definition of Personal Data at trial, to be more relevant with modern technology and processes. This was a great judgment for UK privacy that goes far beyond the Google Safari case.
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.
Perspectives examines how these same CISOs view particular current issues in infosec.
|Dr Brian Bandey||POSTS|
|Dr Monica Horten||POSTS|