VLT Legal | Greater protection for online privacy offered by developing area of law
16423
post-template-default,single,single-post,postid-16423,single-format-standard,ajax_fade,page_not_loaded,,qode_grid_1200,footer_responsive_adv,qode-theme-ver-16.1,qode-theme-bridge,wpb-js-composer js-comp-ver-5.4.7,vc_responsive

Greater protection for online privacy offered by developing area of law

Greater protection for online privacy offered by developing area of law

Several recent developments suggest that the data protection regime is being put to effective use in developing a new area of law, “misuse of private information”, which could offer greater privacy protection to internet users.

 

A recent Preliminary Opinion from the EU Data Protection Supervisor looked at the growth in the use of big data to finance businesses offering online services.   The practice of data mining is extremely lucrative to internet-based businesses, as the information obtained can be sold on to third parties for marketing purposes; it seems likely however, that consumers give away their personal data in exchange for supposedly “free” online services, without realising the true value of such data. The Opinion recommends further investigation into consumer awareness of this practice, as well as improvements to the definition of “consumer harm” where, for instance, online privacy policies make it very complicated for users to access their personal information.

 

This thinking underlies two other recent news stories involving Google:

 

Use of “non-personal” data for targeted advertising may render the data “personal”

In the case of Vidal-Hall v Google Inc, an action which is still going through the courts, three claimants allege damage at the hands of Google, where personal data collected through their use of Safari was “anonymised” and sold on to third parties. As a result, the claimants received targeted advertising which was clearly visible on their devices, which they allege could cause harm when viewed by third parties, because they could disclose personal information and interests. The High Court has ruled that the claimants do have an arguable case, on the basis that search engine data, which is supposedly rendered “non-personal” as a result of being anonymised, could become “personal data” for the purposes of the Data Protection Act when used in the manner complained of. Google intends to take this ruling to appeal, but if the High Court’s interpretation of data protection law is upheld, the decision could have a significant impact on the practice of data mining – a highly lucrative practice which, as the High Court observed, “yields spectacular revenues for which Google Inc is famous”.

 

The “right to be forgotten”

Last month, in the very well-publicised case of Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez, Google has been required to block access to search results about an individual, should the individual so request. This decision cannot be appealed, and is significant not only for its contribution to the growing body of law that aims to protect the privacy of internet users, but also because it shows that Google cannot hide behind US laws, and must instead comply with EU data protection and privacy laws wherever it operates in the EU. For data protection purposes at least, businesses will be considered to be “established” wherever their operations are located, and therefore subject to the relevant legislation.

The “right to be forgotten” or “right to erasure” means that individuals may require search engines to “rectify, erase or block access to search results about them that are incomplete, inaccurate, irrelevant, outdated or otherwise breach EU data protection law.” The right, which exists even where an individual has no power to prevent the original publisher from making information available, must be balanced against other rights such as the interests of other users (although the judgement states that the individual’s rights will generally take precedence) and the economic interests of the search engine.

The Information Commissioner’s Office has since offered guidance on how this judgement is to be implemented, making it clear that search engines and social networks will be given reasonable time to put systems in place to start considering requests from individuals. The ICO has also indicated that individuals will have to demonstrate “clear evidence of damage and distress”. This appears to be a sensible and practical way of ensuring the requisite consideration of the balance of interests (even though the CJEU stated that it was not necessary to show harm to the individual).