DESPITE THE MORAL OUTRAGE expressed in some quarters about intrusive online surveillance by government agencies, many of us seem resigned to the fact that we can all be spied on by the security services when using the internet.
But when it comes to companies tracking our activity for commercial purposes, there seems to be a greater appetite to fight back.
This is certainly true of three individuals in the UK who found out a few years ago that Google had been using some clever tricks to bypass the privacy settings on the Safari browser used on their Apple computers.
The result of Google's ingenuity was that by tracking people's browsing habits and noting the websites they had visited, advertisers using Google's services were able to target advertising at individuals in much more personalised ways than would otherwise have been possible.
Google stopped this practice after a furore in the US led to it being fined millions of dollars by the authorities. But the three individuals - Judith Vidal-Hall, Robert Hann and Marc Bradshaw - decided to press on and sue Google in the UK for the distress that its actions had caused them.
A battle is still raging in the English courts to allow them to serve their proceedings on Google in the US. But last week, the Court of Appeal issued a potentially important ruling in the case that could have significant implications for all organisations that are 'data controllers' (those that hold personal data) under the Data Protection Act 1998 (DPA). This applies to just about every business in the country.
So what is 'personal data'?
Data protection laws are concerned with the protection of what is known as ‘personal data' about individuals. This comes in many different forms. Examples could include a photograph, a name and address or a mobile telephone number.
When you surf the internet, you are likely to come across websites that use technology (known as ‘cookies') to track the pages you have visited and gather this information for their benefit. This information is described as being ‘browser generated information' because it is obtained from an individual's browsing activity.
The court in the Vidal-Hall case held that it is at least arguable that such ‘browser generated information' gathered from individuals could be personal data in its own right - even if it is ‘anonymised' and does not specifically name the person concerned (e.g. the information might be held under a code number, rather than a person's name). This is a concern to many businesses because it is often thought that anonymising data in this way gets around data protection concerns.
The court pointed out that, these days, it may be enough that companies holding the data can identify the device from which it was gathered, even if they don't know the name of the individual person whose device it is. This is because most people have their own devices rather than in the old days when there might only be a single home-based computer.
Also, where a data controller holds other information that, when aggregated with the anonymised data, could reveal the identity of the individuals in question, the court held that this too is arguably personal data - irrespective of whether or not there is any likelihood of the information being so aggregated.
In other words, just because personal data is ‘anonymised' and wouldn't normally be linked to an individual or their device by a data controller does not invariably mean that it will fall outside the definition of ‘personal data' - provided the data controller has access to that other set of information.
These rulings on what is meant by ‘personal data' are not definitive, as they are only provisional rulings. But until the court has issued a final ruling on the subject after the full trial of the case, businesses that control personal data need to be aware of how the law might be evolving.
What does this mean for businesses?
Significantly, the court has held that claims for damages under the DPA can be made even if the only type of damage claimed is for purely for ‘distress'. Previously it was thought that a person could claim such damages only if they had also suffered a financial loss. This made it much harder for anyone to take action themselves in cases where their personal data had been misused.
This decision is bound to increase the risk that data controllers will find themselves facing ‘distress' claims from individuals in the aftermath of a breach of the DPA, for example where a business suffers a data breach through a cyber attack or by losing customer data.
Next steps for this case
The Court of Appeal has said that, although Google long ago ceased the offending activity that led to this case, albeit only after being fined by the US authorities, it is a sufficiently important case of principle that the claimants should be able to proceed with their damages claim, even though any damages are likely to be dwarfed by the costs of the whole exercise. (Google has estimated its own costs alone at £1.2m).
It will be interesting to see whether Google now decides to appeal against the decision to the Supreme Court, or whether the case will proceed to trial.
Michael Gardner is a partner and head of the intellectual property team at law firm Wedlake Bell LLP.
Stop laughing at the back Iain iPhone
AI want to break free
Not making friends, but influencing people
But eager game streaming beavers will have to wait until 2020