Google appeal ruling should send shivers through US tech companies

What are the implications of Google's legal defeat in London and the UK court's hardening attitude towards privacy breaches?

The UK Court of Appeal has turned down Google’s assertion that users in the UK could not sue the company in the UK courts for its activities in the UK.

There were other issues, but that was the key one. For privacy campaigners, it signals the end of immunity against local court action claimed by Google and the other US internet giants against users in the UK and Europe.

In a much more limited county court action in 2014, Microsoft, Facebook and Google made the same defence – that a UK user could not sue them in a UK court for actions they performed in the UK – in Guildhall Court in London.

According to Microsoft, anyone with a complaint against the firm had to go to Seattle, in the USA, to get it heard. The Guildhall judge had no precedent from a higher court to do anything other than offer the claimant the opportunity of a stay while the case was prepared for a US court. The claimant declined the offer on grounds of cost. 

That case was based on privacy and the alleged intrusions in the UK under the US Prism surveillance programme.

US tech companies now liable in UK courts

Now there is a precedent and all of the internet giants face the same fact: they are liable before the courts of the UK, for their actions in the UK, irrespective of their corporate base or origin.

The case in London against Google, by Judith Vidal-Hall and others, concerns the privacy of people’s internet searches and will now go to a full trial. In its unanimous ruling, the Court of Appeal stated that the claims made by Vidal-Hall and the others "raise serious issues and merit a trial”.

In essence, the claimants against Google say that, using a setting on the Safari programme, Google tracked and collected information on their internet use in 2011 and 2012 without their knowledge.

Google attempted to tell this, the third court hearing, that the users privacy concerns were trivial and unworthy of a hearing. The firm’s response to the defeat was to say that it was "disappointed" with the ruling.

Google has not yet said what it will do. It could appeal to the Supreme Court or could even try the European Court as a last resort. However, if Google got to Europe, it would find the opposition already there, fighting the privacy issue on the basis of a direct referral from the Irish High Court.

Irish case challenges Prism  

This referral is based on the case brought by Max Schrems, the Austrian law student, with funding from 25,000 supporters and a further 60,000 backup supporters, against the Prism group of US contractors in Europe acting for the US National Security Agency (NSA), of which Google is one.

The case recently began in the European Court of Justice and is due to reach a decision on 24 June 2015. The fact that the Irish High Court acted in the way it did was totally unforeseen, given that in Schrems' original case in Dublin it let the local authorities in Ireland off the hook over their tolerance of Prism on a technicality.

In Schrems' case, he is attacking the validity of Safe Harbour, a self-certification system that allows US corporations to ship UK and European data to the US on the grounds that personal data has the same protection in the US as it does in Europe. 

Schrems alleges that data stolen in Europe under Prism has no protection at all in the US. If the court finds for Schrems it will transform the entire fabric of the European Court's agreement with the US on how the country's giants operate in Europe.  

Courts are hardening attitudes on privacy

Commentators see a significant hardening in the attitudes of the higher judiciary across Europe against American assumptions of immunity and of wrongdoing in the field of privacy. This is in sharp contrast to the failure of governments, including the German government, to react legally to issues such as the intercepting of Chancellor Angela Merkel’s mobile phone.

And it’s not just the judiciary who are toughening up. In an article in the Financial Times on the day he took office in November 2014, GCHQ director Robert Hannigan wrote that ordinary users of the internet are ahead of US internet giants. 

“They [the users] have strong views on the ethics of companies, whether on taxation, child protection, or privacy," he wrote. “They know that the internet grew out of the values of Western democracy, not vice versa.”

So far, Schrems has proved Hannigan right, with his equivalent of eight army divisions mustered behind him, 25,000 of whom have already put their money where their views are.

In a lesser-sized action, Privacy International in London have lined up 5,000 people to demand a deletion of the private information stolen from them under the Prism programme and sent to GCHQ by the NSA. 

This follows a very narrow ruling by the Investigatory Powers Tribunal in London that the Prism information was unlawfully collected in the UK between 2007, the start of Prism, and 2014, when GCHQ took steps to amend the practice.  

Breach of privacy is an injury

In the UK, one of the most basic citizens' rights is to be able to go to your local court and get justice there against those who have injured you. Google in its case had argued that a loss of privacy was too trivial to try and did not amount to a "tort" or injury.

But the Court of Appeal disagreed, setting a critical precedent on privacy issues in future cases. 

In a remark that should send shivers through the Prism corporations, the court stated that “the issues relate to allegations of ‘secret and blanket tracking and collection of information, often of an extremely private nature”.  

Read more on IT for government and public sector