Google will today argue that the UK Court of Appeal has no jurisdiction over the collection and use of data by the search engine, even when it relates to UK consumers. Further, it is also seeking leave to appeal on a ruling that its data collection practices had caused damage and were a serious issue for the courts to consider. In a significant twist to a two-year legal argument, the Information Commissioner has made a last-minute application to intervene in the case.
The appeal relates to the so-called “Safari workaround” which Google developed when Apple shipped a version of the browser with the default set to block third-party cookies. Following complaints in the US, the Federal Trade Commission ordered Google to stop circumventing these settings, leading to a £13.8 million fine when it failed to do so. Another claim was settled for £10.5 million.
Three UK consumers, members of the Google Governance Campaign, then brought claims in the UK for breaches of the Data Protection Act 1998. Permission was sought to serve an injunction in California, where Google is headquartered, using over-arching legal frameworks known as “gateways”. In December 2013, a judge ruled that there was a case to answer under the DPA, but no jurisdiction to serve an injunction. Google is now seeking leave to appeal the decision that it has a case to answer in the UK about the way it captured data on users of Apple’s software.
According to Dan Tench, partner at law firm Olswang, which represents the individual claimants, said: “The Court of Appeal hearing will decide whether British consumers actually have any right to hold Google to account in this country. This is the appropriate forum for this case: here in England where the consumers used the internet and where they have a right to privacy.”
Tench added: “Google clearly does not want to answer to the English courts. Instead it relies on highly technical, but flawed, arguments to seek to overturn the High Court’s decision to allow this case to proceed. They have given no principled explanation as to why the rules should be interpreted to prevent these types of claims to be taken against overseas defendants.”
Two weeks before the case was due to come before the court, the ICO submitted grounds to intervene with written and oral submissions, given the bearing of the case on whether breaches of the DPA are a serious issue and can be considered damaging, since no pecuniary loss was suffered by the complainants.
Noting that the ICO does not usually intervene in private litigation, the submission argues that, “in this appeal...there are serious issues to be tried i) on whether data collected and processed from Browser-Generated Information can be ‘personal data’...and ii) whether the interpretation of damage...should include non-pecuniary damages.”
The outcome of the appeal will be a significant milestone in the emerging arguments around privacy rights in the big data world and where jurisdiction and responsibility reside.