This post was written by Cynthia O’Donoghue.
An action against the California-based Internet giant, Google, was recently brought in the English courts. The individuals, supported by the campaign group known as Safari Users Against Google’s Secret Tracking, claim that the search engine provider bypassed the security settings on their Apple iPhones and Mac computers in order to track their online behaviour without their knowledge. Google denied any wrongdoing and disputed English courts’ jurisdiction over the case, arguing that it should be heard in California.
The browser used by the individuals in question was set to block cookies, small text files put on users’ computers to track their online behaviour. However, the claimants and the campaign group claim that Google exploited a loophole in the Safari browser to disable Safari settings without informing the users. The claim against Google covers breach of confidence and privacy, non-compliance with UK Data Protection Act 1998, computer misuse and trespass.
Google has denied any wrongdoing and claims that it collected no personal data. The Internet giant, however, has already been issued with a $22.5 million fine by the Federal Trade Commission (FTC) in context of the same behaviour in the United States. The FTC decided that bypassing Safari’s security settings constituted a breach of its previous order that Google would not misrepresent “the extent to which consumers can exercise control over the collection of their information.”
Google refused to accept service of the lawsuit in the UK, claiming the English courts have no jurisdiction over the lawsuit, on the basis that the software powering its services is located in California, and its consumer services are provided by the U.S. division, not Google UK. Thus, arguing that any claims alleging breaches of privacy and data protection law should be brought in California. The claimants argue that Google has a considerable presence in the UK, earning substantial revenues in the country and constructing a $1 billion headquarters in London.
Google says its position differs from that of other tech giants who offer services through EU-based affiliates, thus enabling claimants to make claims against such affiliates. Google’s argument that it is not subject to local jurisdiction in Europe is analogous to the position taken before the European Court of Justice, where Google has argued that its Spanish affiliate is not subject to the data protection laws as a data controller in relation to the services offered by Google, Inc. Both of these cases raise interesting questions about jurisdiction, which the European Commission is hoping to resolve through the draft Data Protection Regulation. The draft Regulation clearly establishes jurisdiction for non-EU based companies that offer goods and services to individuals in the EU or who “monitor” their behaviour.