UK Judge Blocks iPhone Privacy Suit against Google

UK High Court judge Mr Justice Warby has blocked the novel group litigation brought by the Google You Owe Us campaign, which had sought significant damages on behalf of British iPhone users whose web browsing was tracked by Google without their consent. Though the judge agreed that Google had wrongfully violated the Data Protection Act by using cookies to track the browsing habits of iPhone Safari users between June 2011 and February 2012, he concluded the action could not be allowed to progress because:

  • The users had not suffered any ‘damage’ of the type described by the Data Protection Act;
  • Even if they had suffered damage, the representative action on behalf of thousands of users could not continue because the law required them all to have the same interest in the case, but it cannot be said they are all alike in the extent to which they are each victims; and
  • It would not anyway be possible to determine who would have belonged to the community of users that might have suffered the damages described by the plaintiff.

The decision is a blow to UK privacy campaigners. The same Google abuse of personal data had resulted in regulatory action and significant fines in the USA, as covered by the judgment:

Google’s activities in relation to the Safari Workaround were discovered by a PhD researcher, Jonathan Mayer, as long ago as 2012, and publicised in blog posts and, on 17 February 2012, in the Wall Street Journal. Regulatory action was then taken against Google in the USA. In August 2012 the company agreed to pay a US$22.5 million civil penalty to settle charges brought by the United States Federal Trade Commission (“FTC”) that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. On 11 November 2013 it agreed to pay US$17 million to settle US state consumer-based actions brought against it by attorneys general representing 37 US states and the District of Columbia. In addition, the Defendant was required to give a number of undertakings governing its future conduct in its dealings with users in the USA.

The judge did not dwell on the adequacy of any action taken by the UK’s Information Commissioner, which serves as the regulator and enforcer of the UK’s Data Protection Act. However, one observation put the regulator’s response into context:

Censure is the role of the regulator, or the criminal law. There have been regulatory responses to the breaches, which have resulted in consequences for Google. If those responses are perceived to be inadequate, I do not believe the remedy is to fashion a means of imposing a further penalty by bringing a class action for compensation, based on an artificial notion of “damage”.

This is a fair observation. The UK has long had a data protection regulator that is as lackluster as it is incompetent. The supine nature of the UK’s Information Commissioner has fed the public desire to see businesses like Google punished for their excesses, but has never been translated into the public ass-kicking that this regulator needs. As such, it would not be justified to reinterpret laws just to work around the routine failure of the body tasked to enforce data protection rules in practice.

A key argument for the judge was whether losing control of data should be considered ‘damage’ in itself. The judge concluded it was not. Though Google broke data protection law by gathering data it should not have gathered, the judge thought it circular to argue that every violation of law must also inflict damage, and so that damage had been established by merely demonstrating that the law had been broken. The judge observed that the Data Protection Act envisaged various forms of remedy following a privacy violation. Whilst paying compensation might be appropriate, the most obvious remedy when collecting too much personal data is to stop collecting the data and to delete what had been collected.

Much of the judgment contrasted the arguments put forward by Google You Owe Us with the details of the only previous UK action brought by individuals who claimed to have suffered distress as a consequence of the same privacy abuse by Google.

In June 2013, Judith Vidal-Hall and two others issued claims against Google claiming damages on the basis that by obtaining and using information about their internet usage via the Safari Workaround the company had misused their private information and/or committed a breach of confidence and breach of the DPA and caused them distress and anxiety.

Permission to serve outside the jurisdiction was granted. The case then came before Tugendhat J. By a judgment delivered in January 2014 he set aside service of the proceedings in relation to breach of confidence, but declined to do so in relation to the claims in misuse and under the DPA: Vidal-Hall v Google Inc [2014] EWHC 13 (QB) [2014] 1 WLR 4155. An appeal by Google was dismissed by the Court of Appeal on 27 March 2015: Vidal-Hall v Google Inc (Information Commissioner intervening) [2015] EWCA Civ 311 [2016] QB 1003. The Supreme Court granted permission to appeal on one issue, but the claim settled before the appeal to the Supreme Court or any trial took place.

The plaintiffs in Vidal-Hall enjoyed relative success because they could articulate what particular damage they had suffered. In contrast, Google You Owe Us had persuaded 20,000 people to sign up for their representative legal action, but could not know what specific damage any of those people might have suffered in practice.

By demanding that the focus be on the particular rather than the general, the judge showed himself unsympathetic to the realities of widespread privacy abuses. At several places his judgment referred to the time that had elapsed since Google’s abuse of personal data, and how only the plaintiffs in Vidal-Hall had been proactive in pursuing their case. I have no doubt the judge is correct in his understanding of the law, but this demonstrates that the law is letting ordinary people down. Should thousands of people each separately pursue a massive corporation like Google through the courts, though their individual loss is relatively small compared to the cost of hiring a lawyer, and their chances of success are small? It would be more natural to rely on a trusted authority – like a regulator – to wake from its slumber and take the necessary action. When that regulator fails, not least because the press does not hold it to account, the response of most consumers is to feel upset but otherwise shrug their collective shoulders at how those with power have once again escaped any meaningful punishment for their wrongdoing.

The frustrating outcome is that those who had the power to punish Google did not do so, whilst those who felt distress at having their data abused are too vaguely defined as a group, and the damage they suffered is too lacking in specificity, for them now to band together for the kind of common legal action intended by Google You Owe Us. This is despite the campaign group being led by consumer champion Richard Lloyd with advice being provided by a former High Court judge, a non-executive director of a national regulator and a former government adviser. The problem here is not a lack of experience or skill by those seeking redress, or that their claims are factually incorrect, but that they are operating in a legal environment that is essentially hostile to their objectives.

Google You Owe Us indicated they would appeal, but I can see no reason to believe the judgment would be overturned. When it comes to privacy violations there is an imbalance between the lone individual that is abused and the big organizations that have greatest motive to abuse us all on a massive scale. The law is not as helpful as it might be, but focusing too much on the wording of rules distracts us from the more fundamental weakness that allows firms like Google to abuse our privacy again and again. When abuses occur it is difficult and sometimes subjective to determine who is really at fault, what they did wrong, and how great the harm caused. Most of us want that challenge to be addressed by somebody else, to spare ourselves the burden. But our common lethargy ultimately means that those entrusted with the task of defending us cannot be relied upon to do it.

The text of the judgment can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.