'The General Shape of EU Internet Regulation After Google Spain': Hugh Tomlinson

Good afternoon and thank you to David for inviting me to this extraordinary event. I see so much knowledge of data protection gathered in the room, probably about as big concentration as you can get in this country. It's a very welcome scenario to have so many people here to discuss these issues.

Jude raised at the beginning of this session the question of the broad impact of Google Spain and there's absolutely no doubt that Google Spain has an impact across all forms of Internet services. In a way that is at the moment completely unpredictable. And it doesn't work very clearly in practice. I mean I’ve just be asking a few people in the course of the day how it is that Google ever manages to process sensitive personal data lawfully. The answer is, it doesn't seem to be able to, but it seems to get away with it. Someone ultimately is going to try and work that through in the courts or the regulators.

I'm going to focus, in my presentation, on two very narrow issues from my experiences of litigating these issues in the English courts. I think that they are possibly of wider significance. I just want to deal with two aspects. The first is, it’s been promised and I’ll do it, is the case of Vidal-Hall v Google, which judgment was handed down today by the Court of Appeal. For those of you who don't know what the case is about it's to do with something called the Safari workaround, by which Google was able to obtain browser generated information from users of Safari, either deliberately or accidentally. I think there's an issue about that. But obtaining information which they shouldn't have been obtaining. Effectively a class action has been brought in England and it's necessary to serve those proceedings on Google in California. That means under the English rules of procedure you have to get through certain gateways for service out of the jurisdiction and one of those gateways is to demonstrate that you have a claim for damages.

So there’s a data protection claim and the barrier to a claim for damages is section 13 of the Data Protection Act because, as I'm sure everybody knows, that requires you to prove effectively economic lost before you can claim damages for distress. None of the claimants in this case could prove any economic loss and so if section 13 was read literally their claims for damages under the Data Protection Act were bound to fail. Incidentally, the civil claims brought in the United States over the same issue all failed - were all struck out - because they were unable to prove economic lost. It’s obviously a very different set of laws but crystallized on the same issue.

The central issue in this part of the judgment for the Court of Appeal was whether or not section 13 covered not just economic damage but also what was referred to as moral damage, in other words distress, damage to reputation and so on. It was accepted by everybody that, read literally, section 13 had that effect. There's no way around it. Section 13 required, as a necessary condition, a proof of economic loss. There was an interesting debate as to whether under Marleasing you could strike words out, whether you could strike whole sections out. Well I thought that was impossible. The Master of the Rolls said to me "why?". I was slightly at a loss as to how to [respond]. Well it’s absolutely obvious, you can’t go striking out bits of Acts as a process of construction. In the end, he accepted that. So that route was closed but what the Court of Appeal accepted was that, first of all, the word "damage" in the Directive in Article 23 covered both material and non-material damage. They based themselves partly on other decisions concerning other Directives and concerning the meaning of the word damage in the Treaty but partly on the general point that actually what the Data Protection Directive is about is protecting privacy rights, autonomy, dignity, not economic rights and it would be bizarre if your rights are interfered with but you had no remedy because only economic damage was protected. So they got to the position of saying yes damaging in the Directive does mean moral damage as well. Yes section 13 doesn't properly reflect the Directive so what do we do about it? We can’t construe it out of existence. The answer is, we disapply it because of Article 47 of the Charter which provides for an effective remedy. There is no effective remedy. EU law takes precedence so we disapply section 13. Effectively, what they've done is the process which is done in constitutional courts I think everywhere in, I always say this, everywhere in the world apart from England and New Zealand. I may have missed somewhere out. But in other words they strike down laws which are incompatible with more basic and fundamental laws and effectively what they've done to strike down section 13(2), which has a massive practical impact, because what that means is that now in respect of data protection breaches for the first time you can unarguably claim damages for distress whether or not you suffered economic loss. Now, does that demonstrate Orla’s point made this morning about the Court’s being, I think she mentioned Vidall-Hall in passing as an example of the courts being more activist in this field. I suspect not certainly in relation to the English domestic courts, but I do think they are becoming more constitutionally aware partly because the Human Rights Act and more aware so applying the Charter doesn't now seem something outrageous and foreign as it might've done even five years ago. That they think that's something that if that's where the law takes them that's where they go. So the decision is also important because there's an important discussion of what constitutes personal data. It was mentioned this morning that there's not much discussion at that in Google Spain. There’s actually more discussion in Vidal-Hall and in particular they accepted that you didn't have to name someone to identify them. I mean an obvious point, but Google argued to the contrary. So that’s the first thing I want to deal with.

The second issue is one that's arises out of Google Spain and it concerns the question about what you do about systematic problems because Google Spain envisages, the paradigm case, is reporting an individual URL. Mr Costeja reports that there's a URL which links to La Vanguardia and contains this information and ask Google to de-link it. But what happens if you get the not atypical situation where someone is putting large amounts of the same personal data onto the Internet - Google groups, or Facebook or onto YouTube or whatever. Is the position that you have to notify Google of every single URL or can you get Google to take some more automated procedure? That problem arose in the case of Hegglin, which I noticed in the notes for this event was mentioned by David, and in Hegglin there was some unidentified person who, we never worked out what was behind it, but they were putting on all kinds of places on the Internet thousands and thousands of postings which said that Mr Hegglin was a criminal, bastard, Nazi, paedophile, and so on.
They went into a lot of detail about his [alleged] Nazi, paedophile, criminal activities, so every time you did a Google search on him these were the first ten results, was this abusive material. We originally used the procedure under the Google Spain, what Google called the Costeja procedure. Google, on the first occasion, took fifty eight days to respond. By the time the case was almost due in court, they were responding in six hours. I’m sure that was a coincidence. The issue in that case, and the case was settled so it was never resolved - the issues also come up in other cases - is whether Google can be compelled to introduce an automated procedure for detecting particular groupings of text or particular images and blocking those proactively without being notified of individual URLs.

That itself gives rise to an issue which I don't think has been mentioned today but is a very important issue as to the relationship between the e-Commerce Directive and the Data Protection Directive. Google's position is that the e-Commerce Directive prevents courts from making proactive orders so that they have to block particular images or particular groups of text. The position of the people who brought the claims against Google is, if you read the e-Commerce Directive it says - this doesn't apply to data protection. Now that's an issue which has not been litigated in any court in the EU, save for one case in the Italian Court of Cassation, pre-Google Spain, where the reasoning, if I can dignify it with that word, occupies half a page and may be easier to follow in Italian but in the English translation it's impossible to work out what they mean. They have said, for reasons which are entirely obscure to me, that the e-Commerce Directive despite its express words takes precedence over the Data Protection Directive and therefore Google don't have to take things down unless they have knowledge of them. Unless you identify the particular URLs. That's an issue which just as a matter of practicality is going to come up more and more because it's one thing. Another problem is images. For example, the well-known case of Mr Max Mosley. There are their images related to him which are all over, extracted originally from the video taken by the undercover person working for the News of the World, that pop up all the time. What he wants is an active procedure. As some of you may know, he brought proceedings in France and in Germany where both the French and the Germans courts have made orders effectively requiring Google to take proactive steps. This is not a Google Spain question, this is a privacy question, but he's now brought proceedings in the English courts under Google Spain seeking similar sorts of orders. How those cases will ultimately pan out? The German case has just gone on appeal and judgment is due in five weeks time, I think. The French case is also going on appeal and the English case is continuing. But those are practical issues that arise once the courts in the EU exert jurisdiction over Google as they plainly can as a result of the Google Spain decision.