As a global organisation, Google is involved in numerous legal disputes worldwide at any one time. Indeed, Apple and Google collectively spend more money on litigation than on research and development (R&D) for new products. I’d like to take one case that has been going through the courts in London and explain what it means to any organisation that has personally identifiable information (PII) on UK or European individuals.
The case is Google vs Vidal-Hall et al. The claim concerns Google’s placement of 3rd party cookies on users’ devices even though the users had set their security settings to block them (using Safari) and the claimants sought damages for misuse of private data and distress.
I will not go into the full case, as there are other places where this can be read, not least the full judgement. Instead, I’ll explain the three major points and why it matters to anyone else who has private information on UK or European Union citizens.
- The court agreed that claimants based in the UK can sue a company based in the USA through the UK courts.
- The claimants can claim for damages based on distress. In the past, UK law has been interpreted as only allowing distress to be claimed if the claimant had also suffered financial loss.
- The court ruled that cookies are private information – as they can (especially when correlated with other data) identify an individual.
So, the outcome for anyone who has data on UK and EU citizens (28 countries) is that you can now be sued in the UK courts even if you are not based in the UK yourself.
It also opens up the courts to possible class-action lawsuits. A single individual may not receive much compensation, but losing or misusing data of thousands of individuals will more likely give rise to class actions.
This is part of a continuum where European courts and legislators are taking data privacy very seriously. Potential fines are rising and the judges are typically taking a stronger line with anyone who misuses or loses data on EU citizens.
The new EU Data Protection Regulation is expected to continue to raise the stakes in this regard and everyone should be reviewing their procedures, policies and technology. This regulation is also expected to widen the net to include cloud providers who have data on EU citizens. For more information on the new regulation and how to prepare, download the Skyhigh ebook: How EU Data Protection Legislation Affects Your Data in the Cloud.