The US Court of Appeals for the Third Circuit has allowed a class action to proceed against Google relating to the company’s practice of side-stepping “cookie-blockers” on Internet Explorer and Safari’s browsers to track users’ internet activities without their consent. The class action brought a pot pourri of claims against Google. A Court upheld the dismissal of a number of claims, but re-opened the way for the plaintiffs to pursue claims of privacy violation under the California Constitution and California tort law.
The Court ruled that, if the plaintiffs’ factual pleadings are ultimately substantiated, it could be open to a reasonable jury to conclude that there was a “serious invasion of privacy” on the basis that Google deliberately overrode the “cookie-blockers” on Internet Explorer and Safari’s browsers and, at the same time, it held itself out as respecting the “cookie-blockers”. As part of this finding, the Court noted that “Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent research of Mayer and the Wall Street Journal; and it was of indefinite duration …“.
Link (US Court of Appeals, Third Circuit): In re: Google Cookie Placement Consumer Privacy Litigation
In this UK case, the Darmers made an application under section 7 of the Data Protection Act 1998 for access to all the data held about them by the law firm Taylor Wessing. In dismissing the application, the English High Court emphasised that the purpose of section 7, in entitling an individual to have access to personal information, is to check the accuracy of the information and to have it corrected if incorrect. Section 7 is not intended as an automatic tool to access all information relating to matters in which the requester may be named or involved. Nor is the purpose of section 7 to assist the requester to obtain discovery of documents that may assist the requester in litigation or complaints against third parties.
Link: Darmer v Taylor Wessing  EWHC 2366 (Ch)
In June 2013, Ben Grubb, a Fairfax reporter, requested access to “all metadata information” stored by Telstra relating to his mobile phone services.
Telstra refused the request on the basis that Mr Grubb’s identity could not be ascertained through the metadata and that it was therefore not personal information as defined under the Australian Privacy Act. The Privacy Commission disagreed, saying that although the metadata didn’t directly identify Mr Grubb, Mr Grubb’s identity was reasonably ascertainable by cross-matching the metadata against Telstra’s various network and records management systems.
The Commissioner noted that Telstra had a pool of over 120 staff who engaged this kind of data retrieval and that it used cross-matching for internal purposes and when responding to law enforcement agency requests.
Telstra has appealed the decision to the Administrative Appeals Tribunal.
Link: Ben Grubb and Telstra Corporation Ltd
The Banking Ombudsman has ordered a bank to pay $20,000 to a business owner after a bank employee methodically accessed the business company accounts, apparently without legitimate or authorised purpose.
The office recently released a guide outlining the approach it will take to privacy and confidentiality complaints.
Link: Privacy and confidentiality guide and case note
Telecommunications company, Orcon Ltd instructed Baycorp to recover $208.58 owed by Mr Taylor, a solider in the NZ Army. This instruction had “an immediate effect” on Mr Taylor’s credit rating and made it almost impossible for him to find rental accommodation for his wife and baby daughter. Mr Taylor claimed that the debt had been waived by agreement, meaning that the information Orcon had supplied Baycorp was inaccurate and therefore in breach of Principle 8 of the Privacy Act.
The Human Rights Tribunal agreed with Mr Taylor, awarding him $25,000 – $10,000 for loss of benefit and $15,000 for humiliation, loss of dignity, and injury to feelings. It also ordered Orcon to provide training to its staff in relation its obligations under the Act.
There are two points of general note.
First, organisations supplying personal customer details to a debt collection or credit reporting agency must ensure that the information is accurate, up to date, and not misleading. Here, Orcon had breached its legal responsibility by failing to investigate the facts in dispute before referring the debt to Baycorp.
Second, to meet the materiality threshold for an “interference” under section 66 of the Privacy Act, it is not necessary for the act or omission to be the sole, main, direct, indirect or “but for” cause of the harm. It is sufficient to establish that it made or might have made a more than trivial contribution to the occurrence or loss.
Link: Taylor v Orcon Ltd
Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.
Source: Storm v Paytime Harrisburg, Inc.
The English Court of Appeal, in Google v Vidal Hall, determined two important issues of law – whether the cause of action for misuse of private information is a tort, and whether a claim for damage can be made under section 13 (compensation) of the Data Protection Act 1998 (DPA) without showing pecuniary loss. The case concerns Google’s collection of information about the browsing habits of Safari users without their knowledge and consent. The Court ruled that misuse of private information should be considered a tort, rather than an equitable claim for breach of confidence. The Court also held that the DPA permits compensation for non-pecuniary loss, such as distress, where privacy rights have been violated. In reaching this conclusion, the Court noted that distress is “often the only real damage caused by a contravention”.
Link: Google v Vidal Hall