AddThis SmartLayers

The Law Column: Data breaches and compensation


Google was on a high following its recent win in the Court of Justice of the European Union after it appealed a €100k fine in relation to the right to be forgotten. The CJEU said that global delisting is not mandatory, meaning that Google would have to remove information from all Google domains across the world after all.

Meanwhile, Google was in the English Court of Appeal at the start of the month, but the winning streak didn’t continue. Unfortunately, this update is going to get a little technical – and it’s hard to avoid that!

This claim was brought by Richard Llotd on behalf of c. 4.4million iPhone users and relates to Google’s gathering and exploitation of browser generated information (“BGI”) on Apple’s Safari browser. This has become known as the “Safari Workaround”. Google used something called the “DoubleClick Ad cookie” which ultimately enabled the delivery of adverts tailored to the user based on what they had browsed previously.

This bypassed Safari’s blocking of third party cookies so Google was able to put the DoubleClick Ad cookie on a device, without the user’s knowledge or consent.

The upshot is that Google was able to identify and collect information about devices and the users visiting websites displaying the adverts. The information that was gathered by Google included details of times and frequencies of the visits to the website, IP addresses and what advertisements were viewed.

In this case, Mr Lloyd claimed that this enabled Google to get information relating to users’ browsing habits, locations, interests, race or ethnicity, social class, political or religious views, affiliations, age, health, gender, sexuality and financial position.

He claimed that this breached Data Protection legislation and therefore, each claimant was entitled to compensation for that breach.

Initially, the High Court Judge decided that the claimants hadn’t suffered any damage so they were not entitled to any compensation.

Mr Lloyd took his case to the Court of Appeal, which took exactly the opposite view and allowed the case to continue.

From a journalists’ and publishers’ perspective, this is important because the Court was deciding whether the Claimants could claim compensation for loss of control of their personal data.

After all, journalists (to use the jargon) “control” and “process” individuals’ personal data every day of their working lives, so this is not an obscure legal problem but something which potentially is at the heart of day to day journalism.

Remember that in the High Court, the Judge had said that the Claimants hadn’t suffered any damage so they were not entitled to compensation. Previous cases and the legislation were contradictory.

But in the Court of Appeal, the lead judge decided that “damages are in principle capable of being awarded for loss of control of data” even if there is no actual loss and no actual distress has been suffered by the in permission in question.

That said, because this was only a preliminary hearing, the Court declined to make a final decision on whether the claimants could recover damages.  That will have to wait for a full trial.  But the lead judge expressed the view that this, at least, is “fairly arguable”.

Why is this important for journalists? Because it indicates that data protection continues its relentless rise to prominence and notwithstanding the journalism exemption in data protection law, journalists have to be vigilant in ensuring they comply with the law as it develops.

The journalism exemption is constantly being challenged by claimants and their lawyers, and the profession needs to be alive to the issues that may arise in the not too distant future.  We have been warned!