On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19.  The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with principles of data protection by design and by default.  The ICO also cautions that since apps developed under the CTF could also be used to collect additional data using other techniques beyond those currently planned, developers of such apps must ensure compliance with data protection laws.

Continue Reading UK ICO Issues Opinion on Apple-Google Initiative for a Contact Tracing Framework

On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here).  The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search results displayed on all the search engine’s versions.  According to the court, it suffices for search results to be deleted from the search engine’s EU versions (i.e., EU domain name extensions, such as .eu, .fr or .de).  For more information on the Advocate General’s opinion, see our prior blog post here.

Continue Reading GDPR’s right to be forgotten limited to EU websites

On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises

On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google.  In that case, the CNIL ordered Google to de-reference links to webpages containing personal data.  According to the CNIL, the

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law.  The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online activity while publicly professing to respect users’ Safari browser settings.  While the Third Circuit affirmed the trial court’s dismissal of federal claims under the Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA), the court vacated the district court’s dismissal of the plaintiffs’ claims under California tort law and the California constitution’s right to privacy.

The plaintiffs’ claims originated from a 2012 Wall Street Journal article describing a researcher’s findings that Google, despite the Safari browser’s default settings intended to blocking tracking cookies, had utilized methods to circumvent these settings and track Safari users’ Internet browsing habits via tracking cookies.  At the same time, the plaintiffs alleged, Google made a series of public statements, including statements within its privacy policy, indicating that it respected the Safari browser’s cookie-blocking settings.  Google subsequently entered into settlements with the Department of Justice and a consortium of state attorneys general over its practices.  Twenty-four plaintiffs also filed putative class action suits against Google and third-party advertisers, alleging violations of federal and state privacy law.  The suits were combined into the instant litigation in the District of Delaware, and in October 2013, the district court dismissed the complaint in its entirety, finding that the plaintiffs failed to state a claim.


Continue Reading Third Circuit Resurrects State Law Claims Against Google in Safari Cookie Tracking Lawsuit

The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311.

Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences

Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the Hamburg DPA established that Google’s

Dan Cooper and Phil Bradley-Schmieg

On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors [2015] EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.

This case was brought against Google Inc. by three users of Apple’s Safari web browser.  They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising.  This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts.  Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general.
Continue Reading English Court of Appeal Decision Significantly Expands UK Privacy Law

Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies.  In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation.  As the below examples from France and Germany show, some courts or regulators assess privacy practices and policies against the rules on unfair or abusive trade practices — in some countries, the legislator is even proposing new laws to that end.  This is a worrying trend, as it could trigger the application of an additional set of rules to privacy policies, and implies that EU consumer protection authorities may acquire competence in relation to online privacy policies, in addition to the EU data protection regulators.


Continue Reading European Consumer Legislation and Online Privacy Policies: Opening Pandora’s Box?