The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.
Google was also sued over the Safari workaround in the UK by individuals claiming that Google was liable for the tort of misuse of private information and for breach of the UK Data Protection Act 1998 (the DPA). Google tried to deny the plaintiffs their day in court, arguing, among other things, the court should not bother with the claims because they were not serious enough and because the damages claimed by the three claimants were too insignificant for the court to take the time to address it.
In Google Inc v Vidal-Hall & Ors  EWCA Civ 311 (27 March 2015) the English Court of Appeal dismissed Google’s appeal from its attempt to get the case dismissed noting that “the damages may be small, but the issues of principle are large.” Further,
…these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused.
In the course of dismissing the appeal, the Court also dismissed Google’s appeal from other findings in reasons that could have significant impacts on not only this case, but on others as well.
The essence of the complaint against Google is that it secretly collected private information about the claimants’ internet usage via their Apple Safari browser (the Browser-Generated Information, or ‘BGI’) without their knowledge and consent and in violation of Google’s publicly stated policy that such activity could not be conducted in relation to Apple Safari users. This was done through the use of a cookie called the Safari workaround. The information obtained by Google was aggregated and sold to advertisers which used the information to target the users (or their devices) with ads. The claimants allege in respect of their claims for misuse of private information and/or breach of confidence, that their personal dignity, autonomy and integrity were damaged. They claim damages for anxiety and distress. They also claimed compensation under section 13 of the DPA for damage and distress.
As Google Inc carries on business principally in the US, the claimants had to obtain the permission of the court to sue Google in the UK. To obtain that permission, they had to establish, among other things, (i) that there was a serious issue to be tried on the merits of their claims i.e. that the claims raised substantial issues of fact or law or both; and (ii) that there was a good arguable case that their claims came within one of the jurisdictional ‘gateways’ under UK law.
Google had argued that the cause of action for misuse of private information could not be regarded as a “tort”. This was rejected by the Court of Appeal which could find no sound reasons of policy or principle to suggest this claim did not sound in tort. It also did not accept Google’s argument that a claim for compensation without pecuniary loss was not recoverable under the DPA.
Google also argued that the information it collected from individuals was not personal data under the DPA. Its first contention was that BGI was not personal data because it did not specifically identify the individuals by name. The court did not accept Google’s argument finding that the data collected was “about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others”.
BGI information comprises two relevant elements: (a) detailed browsing histories comprising a number of elements such as the website visited, and dates and times when websites are visited; and (b) information derived from use of the ‘doubleclick’ cookie, which amounts to a unique identifier, enabling the browsing histories to be linked to an individual device/user; and the defendant to recognise when and where the user is online, so advertisements can be targeted at them, based on an analysis of their browsing history.
Taking those two elements together, the BGI enables the defendant to single out users because it tells the defendant (i) the unique ISP address of the device the user is using i.e. a virtual postal address; (ii) what websites the user is visiting; (iii) when the user is visiting them; (iv) and, if geo location is possible, the location of the user when they are visiting the website; (v) the browser’s complete browsing history; (vi) when the user is online undertaking browser activities. The defendant therefore not only knows the user’s (virtual) address; it knows when the user is at his or her (virtual) home.
Google’s second argument was that even though it may have been able to identify the claimants using information it had about them from another service e.g., gmail, the data could not be regarded as personal data as a living individual is only “identifiable” from two sets of data in the hands of the data controller, where it is “reasonably likely” that the data controller will aggregate the two sets of data. It is not sufficient that it is capable of aggregating the data. The court also rejected this argument ruling preliminarily that “the fact that a data controller might not aggregate the relevant information in practice is immaterial. What matters is whether the defendant has “other information” actually within its possession which it could use to identify the subject of the BGI, regardless of whether it does so or not.”
Subject to a possible appeal to the UK Supreme Court, decision paves the way for a group (class) action against Google by millions of Britons.