Did Google breach privacy when it tracked and collated personal use information to sell advertisers targeted online advertising space?
Ursula Cheer, Professor of Law, University of Canterbury, comments on privacy, confidentiality breaches, defamation, liability, publication, the internet and the recent English case:Vidal-Hall, Hann and Bradshaw v Google ([2014] EWHC 13 (QB) .
Google is increasingly finding itself the defendant in litigation world-wide arising from its online commercial behaviour, which unsurprisingly it resists robustly. A recent English case, Vidal-Hall, Hann and Bradshaw v Google ([2014] EWHC 13 (QB) raises interesting issues around privacy and the selling of targeted advertising space by Google on its search engine browser, Safari.
The three claimants (part of a larger group, but claiming as individuals and treated as such) apparently intend to test the lawfulness of Google’s behaviour by filing misuse of private information, breach of confidence and breach of data protection legislation claims in the UK. The claimants each say they suffered damage when Google, without their consent and knowledge, collected and collated a variety of information about them as they made use of Google’s ‘free’ search engine. The information was used to categorise the claimant’s possible interests in desired goods and services. Space could then be sold by Google to advertisers for personalised advertising. When the claimants used Safari, advertising aimed directly at them based on their characteristics such as interests, hobbies and pastimes, news reading habits, shopping patterns, social class, racial or ethnic origin, political affiliation, religious or spiritual beliefs, trade union membership, physical and mental health, sexuality and sexual interests, age, gender, financial situation and geographical location appeared on screen.
Anybody using the computer, or third parties nearby, could therefore discern otherwise undisclosed information about the claimants, some of it innocuous, some of it intensely intimate and personal. The claimants did not claim financial loss or other special damage, although they did claim account of profits for misuse of their information. Nor did they claim that any third party had actually viewed the information on their equipment and treated them detrimentally as a result. The claim was for acute distress and anxiety, which the judge, Justice Tugendhat, noted was not at the very serious end of the possible scale. Although Google had in the meantime ceased the behaviour complained of and destroyed the information relevant to the claimants, an injunction was also sought, though ultimately rejected.
Among other procedural matters, the court had to determine if there was a serious issue to be tried in each claim, and whether the claims were being made in the appropriate jurisdiction given that Google Inc is registered in Delaware USA and has its main offices in California. The claims were in the main allowed to proceed. The following points are notable about the judgment:
- Justice Tugendhat noted that Google provides its Search Engine facility and other services to internet users in the UK and around the world. However, he then stated that those services are now so well known that they do not need to be described in the judgment (para 3). This is in contrast to many previous judgments which have rehearsed lengthy technical descriptions of such facilities. So we have increasing judicial acceptance of the ubiquity of online services in modern society.
- For the claims to go forward, Practice Directions allowing service outside the UK required that the claims be torts. Justice Tugendhat, after surveying the cases in some detail, concluded that the action of misuse of private information is a tort. This moves the UK ever closer to the NZ position which recognises that privacy claims are claims in their own right and not parasitic on other claims. So the English action finally appears to be leaving behind its rather uncomfortable origins as a mere subset of breach of confidence. The judge also pointed out that as breach of confidence cannot be a tort, there is an anomaly in the law in allowing service out of the jurisdiction for one type of claim but not the other (paras 70-71).
- The court considered where the act complained of had been committed and concluded that the damage arising from what could be seen on the claimants’ screens arose in the UK, the method being a form of publication, as in libel. This conclusion (strictly obiter) appears to be another example of unarticulated acceptance of the Australian decision Dow Jones v Gutnick, ((2002) CLR 757) holding that in defamation publication takes place in the jurisdiction where information is downloaded and viewed on a computer, not where it is uploaded. So defamation law continues to be applied in privacy too.
- On the question whether there was a serious issue to be tried or a real and substantial tort, the court held each claimant had a sufficiently strong case. It then considered whether the claims should be struck out because of the ineffectiveness of any remedy. The defendants suggested that ‘the game would not be worth the candle’ and costs to the parties would be far greater than any award of damages that might eventually be made. It made a further argument that Google had a right to distribute information in the form of advertising (under Art. 10 of the European Convention on Human Rights) that had to be weighed against any interest in privacy when a remedy was being considered. However, Justice Tugendhat concluded that the information collected and collated by Google was not advertising for the public, but commercial information used to further its private interests, and therefore of less weight than other forms of information. It did not outweigh the potential privacy interests of the claimants. Neither, after a rather rough and ready look at the potential length of any trial and eventual costs, did the judge think the game would ultimately not be worth the candle.
- Google also suggested the information it used was not private because it was anonymous. The court rejected this rather abruptly, pointing out that at all times, the claimants were identifiable to Google, although its individual employees did not know who they were. Further, when advertisements appeared on the claimant’s screens, third parties would be able to identify them.
- The final point of note is that the court found that the UK is the most appropriate forum for the actions. Documents held by Google in California would always be available electronically, and the focus was likely to be on the damage caused to the claimants, which they would find burdensome to prove in the US. Also, the issues of English law which arose were complex and developing and would be best considered in the UK.
There are indeed complex issues that arise in the claims and I sense this English court at least would very much like them to go forward. Google was sanctioned extensively in the US and fined $22.5m by the FTC in relation to previous privacy violations, but similar behaviour in the UK had not been sanctioned by any government body, in spite of the existence of the Data Protection regime. There are large public interest issues at stake in this David v Goliath-like litigation. Google search engines are, on the face of it, free to the user world-wide, which is remarkable in a sense. However, the reality is that like all private media, that free use has to be subsidised by advertising income. Media often hold up the commercial imperative as a defence in cases where it breaches privacy and other human rights, and, while the courts may take this into account in weighing the rights and interests involved, it is often emphasised that it is not the job of the law to guarantee the profits of any particular enterprise.
However, these big issues may not arise at all to be dealt with in Vidal-Hall. Unfortunately, this ‘test’ case is not an ideal one to decide the legal issues involved. In particular, I suspect the claimants may struggle to prove there has been sufficient publication required for a misuse of private information claim. Publication of information to someone using your laptop with permission raises issues of consent as a defence, and I believe publication to those who happen to be passing by is accidental publication and therefore insufficient. Additionally, privacy as it is developing in the UK and certainly in NZ, appears to require wide publication, which does not appear to exist on the Vidal-Hall case either.
Can Google attract the advertising it needs to without invading the privacy of its users? Perhaps it needs a better business model that does not depend on opportunistic exploitation of its users. The common law needs to attempt to confront these issues if claimants have the time, energy and money to bring deserving cases, but they should only have to do so as a last resort.
Article by Ursula Cheer, Professor of Law, University of Canterbury, Christchurch