I find it fascinating to watch how data protection in general and GDPR in particular play out with the huge multinationals which it has been designed to capture, and which arguably have the most to lose in terms of fines. Facebook and Google are once again in the news in relation to their use of personal data. And the High Court judgement against Morrisons sets a precedent which aligns with GDPR’s intention of individuals’ rights to have their data protected.
Google accused of bypassing privacy settings to harvest personal information of 5.4 million iPhone users between 2011 and 2012
The search engine tech giant Google is being taken to court by a group called Google You Owe Us, led by ex-Which director Richard Lloyd. The group claims that several hundred pounds could be owed in compensation to the millions of victims of Google’s transgression against privacy rights, meaning Google could face a massive financial penalty.
Google exploited cookies, which are small pieces of computer text that collect data from devices, to run large-scale targeted ad campaigns. In the UK Google’s actions were in breach of the Data Protection Act (DPA) and the Privacy and Electronic Communication Regulation (PECR). For such breaches after the General Data Protection Regulation (GDPR) comes into force in late May 2018, organisations could face a fine of up to €20 million or 4% of annual global turnover (whichever is higher – and for the billion-dollar giant Google, obviously the latter). However, this case relates to a period prior to GDPR.
For several months in 2011 and 2012, Google stands accused of bypassing the default privacy settings on Apple phones in order to track the online behaviour of Safari users, by placing ad-tracking cookies onto the devices. This then enabled advertisers to target content to those devices and their users.
The Google activity has become known as the ‘Safari workaround,’ and while it affected various devices, the lawsuit filed in the High Court addresses the targeting of iPhone users.
Over 5 million people in Britain had an iphone during the period. “In all my years speaking up for consumers,” Mr Lloyd from Google You Owe Us states, “I’ve rarely seen such a massive abuse of trust where so many people have no way to seek redress on their own. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back.”
According to the veteran privacy rights campaigner, Google claimed that he must go to California, the heartland of the Silicon revolution, if he wanted to pursue legal action against the firm, to which he responded, “It is disappointing that they are trying to hide behind procedural and jurisdictional issues rather than being held to account for their actions.”
According to the BBC, the broadcaster was told by Google that these legal proceedings are “not new” and that they “have defended similar cases before.” Google has stated that they do not believe the case has any merit and that they intend to contest it.
While there is no precedent in the UK for such massive action against Google, in the US Google has settled two large-scale litigation cases out of court. Regarding the same activity, the tech company agreed to pay a record $22.5m (£16.8m) in a case brought by the US Federal Trade Commission in 2012. It also made out of court settlements with a small number of British consumers.
According to the BBC, the case will probably be heard in the High Court in Spring 2018, a month or so prior to the enforcement of the GDPR.
Morrisons found liable for employee data breach
Morrisons workers brought a claim against the supermarket after a former member of staff, senior internal auditor Andrew Skelton (imprisoned as a result of his actions) stole and posted online confidential data (including salary and bank details) about nearly 100,000 employees.
In an historic High Court ruling, the Supermarket has been found liable for Skelton’s actions, which means that those affected may claim compensation for the “upset and distress” caused.
The case is the first data leak class action in the UK. Morrisons has said it will appeal the decision.
Facebook claims European data protection standards will not allow for their pattern-recognition “suicide alert tool” to be usable in EU.
Facebook’s decision to deny EU countries a pattern-recognition tool to alert authorities to users possibly suffering from depression or suicidal thoughts has been criticised as a move to undermine the upcoming tightening of EU-wide data protection standards, enshrined in the General Data Protection Regulation (GDPR).
Facebook has argued that their Artificial Intelligence (AI) programme which scans the social media network for troubling comments and posts that might indicate suicidal ideation will not be employed in EU countries on the grounds that European policy-makers and the public at large are too sensitive about privacy issues to allow site-wide scanning.
In a blogpost, Facebook’s VP of Product Management stated, “we are starting to roll out artificial intelligence outside the US to help identify when someone might be expressing thoughts of suicide, including on Facebook Live. This will eventually be available worldwide, except the EU.”
Tim Turner, a data consultant based in Manchester, has suggested that the move might be “a shot across the EU’s bows […] Facebook perhaps wants to undermine the GDPR — which doesn’t change many of the legal challenges significantly for this — and they’re using this as a method to do so.”
Mr Turner continues, “nobody could argue with wanting to save lives, and it could be a way of watering down legislation that is a challenge to Facebook’s data hungry business model. Without details of what they think the legal problems are with this, I’m not sure they deserve the benefit of the doubt.”
Written by Harry Smithson 1st December, 2017