Google and privacy onlinelegal obligations

Commercial analysis: Should we expect privacy when browsing the web? Steve Kuncewicz, head of IP & Media at Bermans and member of the LexisPSL Commercial Editorial Board says a landmark privacy case filed against Google may only be the beginning of a string of cases setting out our expectations when using the web.

Original news
Google rejects High Court's authority in privacy case Sunday Times, 18 August 2013: Google says a landmark internet privacy case should not be heard in the High Court as England has no jurisdiction in the matter. A group of UK users is suing the web giant for bypassing security settings on their Apple iPhones and Mac computers. The company's lawyers say users of Google's search engine could not expect their movements to remain private. Arguments will be heard in October 2013.

What is this case about?

Google is no stranger to class action claims relating to its relationship with users, but this is one of the first major actions to be brought against the international giant in the UK courts. It turns on an allegation that Google circumvented Apple's security settings on the iPhone, iPad and desktop versions of its Safari web browser to monitor user behaviour. When news of the case first broke, it was estimated that around 10 million Britons could have had grounds to launch a claim against Google but so far around a hundred users have contacted Olswang (who are acting for the claimants) to discuss joining the claimif enough new claimants come forward, the case has the potential to become the biggest group action in UK history. In February 2012, the Information Commissioner's Office (ICO) announced that they were investigating Google over potential breaches of the Data Protection Act 1998 (DPA 1998) and the Privacy and Electronic Communications Regulations 2003, SI 2003/2426 (the 2003 Regulations). In the absence of any formal action, the claimants have taken the matter into their own hands and forced the issue following a fine of $22.5m in August 2012 for similar violations in the US. The main issue is that users' browsing habits have been tracked without their permission by cookies being placed on their computer without consent and then used to deliver user-targeted advertisements. Google however, have effectively claimed that UK privacy laws and the reach of the UK courts simply do not apply to them, describing the case as 'not serious', saying that 'the browsing habits of internet users are not protected as personal information, even when they potentially concern their physical health or sexuality'. This mirrors a recent statement by Google that users of its Gmail service have 'no reasonable expectation of privacy'.

What issues does this case raise in regards to privacy and confidentiality on the web in the UK?
This case represents the first real use of the recent changes to 'cookie' law by claimants in the UK since the widely-reported changes to the rules in how cookies may be placed onto computers when visiting websites in May 2011. That issue and the fallout from it is worth an article in itself, but the basic issues relate to how the 2003 Regulations cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user's PC, tablet, mobile phone or other computer equipment. The 2003 Regulations do not prohibit the use of cookies, but they do require that users are told about cookies and given the choice as to whether or not to allow them to be downloaded and used to monitor user information, such as browsing habits, to deliver targeted and personalised material over the web.

The changes to the 2003 Regulations in May 2011 saw a shift towards obtaining user consent before cookies were placed onto their systems in an attempt to protect the privacy of web users in an environment where privacy is becoming a serious concern to an increasingly connected public. Even where the information collected about users cannot identify them directly, it would still fall under the remit of the 2003 Regulations. Consent to placing of cookies now needs to be (as defined by DPA 1998) 'any freely-given and informed indication of (his) wishes by which the data subject signifies his agreement to personal data relating to him being processed'it needs to involve some form of communication where acceptance is knowingly indicated, such as clicking on an icon, hence the proliferation of pop-up windows leading to 'information on cookies'. However, against a chorus of disapproval from websites across the EU, implied consent could still be relied upon in certain limited circumstances provided that detailed information as to what cookies are used by the website in question was made available alongside instructions as to how to change user settings to reject them if necessary. Those setting cookies must tell people that the cookies are there, explain what the cookies are doing, and obtain consent to store a cookie on a device. There were certain limited exceptions and the levels to which businesses need to go to comply with the amended 2003 Regulations depend largely on how intrusive the cookie in question is, but the message from the ICO was cleardoing nothing about the changes was not acceptable and use of information on user habits with impunity was not to be tolerated. If Google can be shown to have ignored the 2003 Regulations and, by extension the DPA 1998, then they will face a civil claim to recover any losses sustained as a result and which should be of greater concernpotential enforcement action by the Information Commissioner. In the absence of any real action from the ICO, the claimants here are taking the fight to Google in the hope of holding the trial in the court of public opinion. Google is already seen as having an invasive and pervasive presence in the eyes of some web users, and this claim should help to bring the issue of web privacy to the attention of a wider audiencedo they want to be tracked or to browse with greater anonymity? The information at issue here may only be trivial in the eyes of Google but to many this dispute typifies the slippery slope upon which ever more personal information is harvested to deliver better advertising.

What are the arguments for and against the UK courts as the appropriate forum?
Google has claimed, in the words of some, that UK law simply does not apply to them as they are not based in the UK and argue that this claim should be properly fought in the US Courts. The claim has been brought in the UK as the home country of the claimants in which they receive Google's services and as a result of Google having a 'substantial presence here'. This is a classic 'forum non conveniens' argument, with Google claiming that the US is the most appropriate forum for the dispute to be heard, presumably on the grounds that that is where the case can be most suitably tried in the interests of the parties and the ends of justice. The court will look at a number of 'connecting factors' when deciding which court has the most real and substantial jurisdiction, including: o o o o o territorial connections of the parties location of evidence expense the existence of other cases dealing with similar facts (that may include the Federal Trade Commission (FTC) fine), and the country whose law governs the dispute

This may be where some of the real battles are fought in this case Google claims that without a substantial presence in the UK it simply shouldn't fall under our privacy laws. The claimants are looking to convene a hearing on this point as soon as possible and the decision will be fascinating to observe.

Can Google expect more favourable treatment of its privacy issues in the US or other jurisdictions?
It may well be that Google's stance on privacy would be treated differently in the USA, but it's hard to suggest that it would be treated more favourably there in light of the FTC's considerable fine earlier this year. Certainly, EU and UK

data protection law may well be more draconian than the US equivalents and online behavioural advertising is more of a self-regulated environment but regulatory action in this area is becoming more frequent as time goes on. It would be hard to see how Google could look for a more appropriate forum than the USA in any event, so it would have to hope that the courts there would take a faster and looser approach to privacy.

Would you say there is a trend in this area?

We're certainly seeing a big legislative change towards greater and more stringent obligations on businesses using data in this manner as public awareness over what we share online continues to grow. However, this case in particular will be fascinating to watch as it has the opportunity to set a very interesting precedent if it continues in the UK court. Whether or not this claim represents the voice of the 1% who harbour genuine concerns over web privacy will only be proven over time, but if enough claimants come forward to challenge Google this could be a landmark moment in defining public attitudes towards how their data is used and the continued intrusion of commerce into our free time. Some will have little problem with being served with more relevant content but others will almost certainly objectthat conversation is far better had against a proper knowledge of exactly how much information is mined and why it is used. We may look back on this as the start of a whole string of cases setting out our expectations when using the web. For more details on the jurisdictional side of the case, please see Google and privacy online jurisdiction. Interviewed by Yacine von Welczeck. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.