Google has been taken to court by consumers rights campaigner Richard Lloyd (Google you owe us) over the alleged infringement of rules on data protection of iPhone users. The legal action, which is thought to represent the interests of well over 5 million people in the UK, has been filed at the UK High Court and claims that Google bypassed default privacy settings of iPhone users and tracked successfully their online behaviour when using the Safari browser between 2011 and 2012.
The personal data illegally gathered was then supposedly used in Google’s advertising business DoubleClick that enables advertisers to target content to specific users in line with their browsing history.
The so-called “Safari workaround tactic” gathers personal data of users without their permission. That activity goes against the principle of lawful processing – which includes collection – of personal data contained in the UK Data Protection Act 1998 (DPA). The DPA implemented the cornerstone piece of EU legislation in the field i.e. the Data Protection Directive 95/46/EC (see articles 1(1), 5 and 10). The DPD’s successor, the EU GDPR, will become “enforceable” and the main legislation on protection of personal data in the EU in late May 2018. The GDPR strengthens the rights of individuals to unseen levels and allows consumer associations or watchdogs such as Which? to file lawsuits in name of a group of affected individuals. In addition, once the EU e-privacy Regulation (currently undergoing legislative procedure at EU level) becomes law it will complement the GDPR and create a new legal framework for the digital age.
Furthermore, both pieces of EU law contain an extraterritorial scope of application clause. In cases like this it means that regardless of where the alleged infringing company is established if the data was sourced from EU nationals and/or in the EU territory the EU Regulations will apply (see article 3 of the GDPR and case law of the CJEU in that direction e.g. C-131/12 Google Spain).
This case is the first of its kind in the UK. Never before a tech giant has been sued over data protection breaches by one person representing a collective group and is likely to be closely monitored by tech companies and data protection lawyers alike.
With the enforceability of the GDPR looming and the soon to be adopted EU e-privacy Regulation all matters related to individuals rights to protection of their personal data and privacy are becoming causes of concern for many companies handling big volumes of personal data. Conversely, for individuals it seems the time has come to ensure their rights are respected. Many dubious practices currently in place whereby individuals are somehow tricked into giving their personal data without explanation of the end-purpose of the gathering and processing or simply taken without their knowledge or consent will be more closely monitored.
Whether this legal challenge will be successful or just a wakeup call for big corporations of what may come their way is yet to be seen. What is certain, though, is that the data protection and privacy landscape is changing and the sooner we embrace it the better. Not long to go until tactics like this become real risks for big corporations as they will face fines of up to 4% of their worldwide turnover if they breach customers’ trust (and infringe their rights).
Should the action be successful individuals affected will be entitled to some monetary compensation the amount of which will be determined by the UK court.
More information on this case here.