Tag: E-commerce

Posted on

Lloyd v Google. Court of Appeal overturns High Court, establishes jurisdiction viz US defendant. Takes a wider approach to loss of control over personal (browser-generated information) data constituting ‘damage’.

Update 4 June 2021 see a reference by the Austrian Supreme Court here, on the issue of whether loss of date control constitutes damage.

Update 16 July 2020 the Supreme Court has granted leave to appeal.

I reported earlier on Lloyd v Google at the High Court. The case involves Google’s alleged unlawful and clandestine tracking of iPhone users in 2011 and 2012 without their consent through the use of third party cookies.

The Court of Appeal in [2019] EWCA Civ 1599 has now overturned the High Court’s approach, nota bene just a day before the CJEU’s Eva Glawischnig-Piesczek v Facebook judgment.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) had rejected jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent. In essence, Warby J held that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”. This did not mean that misuse of personal data could not be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

The Court of Appeal has now overturned. A first question it considered was whether control over data is an asset that has value. Sir Geoffrey Vos C at 47 held ‘a person’s control over data or over their BGI (browser-generated information, GAVC) does have a value, so that the loss of that control must also have a value’. Sir Geoffrey did not even have to resort to metanalysis to support this:  at 46: ‘The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.’ And at 57: ‘the EU law principles of equivalence and effectiveness (‘effet utile’, GAVC) point to the same approach being adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy.’

(The remainder of the judgment concerns issues of reflection of damage on the class).

Conclusion: permission granted to serve the proceedings on Google outside the jurisdiction of the court.

All in all an important few days for digital media corporations.

Geert.

Posted on

Brussels Court of Appeal rejects jurisdiction against Facebook Inc, Facebook Ireland in privacy, data protection case.

Update 17 June 2021 for analysis of the CJEU judgment in same see Lorna Woods here.

Update 10 September 2020 the case at the CJEU is listed as C-645/19.

The Brussels Court of Appeal held early May in a lengthy and scholarly judgment that it sees no ground in either public international law, or European law, for jurisdiction of the Belgian courts against Facebook Ireland and Facebook Inc (Palo Alto, California). I reported on the litigation inter alia here. I believe the Court is right, as readers of the blog know from my earlier postings.

Belgium’s Data Protection Authority (DPA) does not signal the rejection of jurisdiction against FB Ireland and FB Inc in its press release, however even its 3 page extract from the 121 page judgment clearly shows it (first bullet-point).

The questions which the Court of Appeal has sent up to Luxembourg concern Facebook Belgium only. The Court in the full judgment does not qualify FB Belgium’s activities as data processing. However it has very specific questions on the existence and extent of powers for DPAs other than the leading authority under the GDPR, including the question whether there is any relevance to the fact that action has started prior to the entry into force of the GDPR (25 May 2018). The Court is minded to interpret the one-stop shop principle extensively however it has doubt given the CJEU’s judgment in Fanpages

Crucial and so far, I believe, fairly unreported. (My delay explained by the possibility for use as an essay exam question – which eventually I have not).

Geert.

(Handbook of) EU private international law, 2nd ed.2016, chapter 2, Heading 2.2.8.2.5.

Posted on

Lloyd v Google. High Court rejects jurisdiction viz US defendant, interprets ‘damage’ in the context of data protection narrowly.

Update 11 December 2018 leave to appeal applied for.

Warby J in  [2018] EWHC 2599 (QB) Lloyd v Google (a class action suit with third party financing) considers, and rejects, jurisdiction against Google Inc (domiciled in the US) following careful consideration (and distinction) of the Vidal Hall (‘Safari users) precedent.

Of note is that the jurisdictional gateway used is the one in tort, which requires among others an indication of damage. In Vidal Hall, Warby J emphasises, that damage consisted of specific material loss or emotional harm which claimants had detailed in confidential court findings (all related to Google’s former Safari turnaround, which enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.

In essence, Warby J suggests that both EU law (reference is made to CJEU precedent under Directive 90/314) and national law tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”.

Wrapping up, at 74: “Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent. Neither category suffers from “loss of control” in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage”…”

The judgment does not mean that misuse of personal data cannot be disciplined under data protection laws (typically: by the data protection authorities) or other relevant national courses of action. But where it entails a non-EU domiciled party, and the jurisdictional gateway of ‘tort’ is to be followed, ‘damage’ has to be shown.

Geert.

 

Posted on

On soggy grounds. The GDPR and jurisdiction for infringement of privacy.

Update 25 March 2019 See also Lydia Lundstedt’s paper on the same issues here. See also Max Schrems’ report on the courts at Vienna applying A79 here, and the excellent chapter by prof Hess on the troublesome matrix of jurisdictional rules in his gem of a book ‘The private-Public divide in international dispute resolution‘.

Many thanks to Julien Juret for asking me contribute to l’Observateur de Bruxelles, the review of the French Bar representation in Brussels (la Délégation des barreaux de France). I wrote this piece on the rather problematic implications of the GDPR, the General Data Protection Regulation, on jurisdictional grounds for invasion of privacy.

I conclude that the Commission’s introduction of Article 79 GDPR without much debate or justification, will lead to a patchwork of fora for infringement of personality rights. Not only will it take a while to settle the many complex issues which arise in their precise application. Their very existence arguably will distract from harmonised compliance of the GDPR rules.

I owe Julien and his colleagues the French translation (as well as their patience in my late delivery) for I wrote the piece initially in English. Readers who would like to receive a copy of that EN original, please just send me an e-mail. (Or try here, which if it works should have both the FR and the EN version).

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.5.

Posted on

Jurisdiction for libel over the internet. Haaretz v Goldhar at the Canadian SC.

When I reported the first salvos in Goldhar v Haaretz I flagged that the follow-up to the case would provide for good comparative conflicts materials. I have summarised the facts in that original article. The Ontario Court of Appeal in majority dismissed Haaretz’ appeal in 2016, 2016 ONCA 515. In Haaretz.com v. Goldhar, 2018 SCC 28, the Canadian Supreme Court has now held in majority for a stay on forum non conveniens grounds. Both the lead opinion, the supporting opinions and the dissents include interesting arguments on forum non conveniens. Many of these, as Stephen Pitel notes, include analysis of the relevance of obstacles in enforcement proceedings.

If ever I were to get round to compiling that published reader on comparative conflicts, this case would certainly feature.

Have a good start to the working-week (lest it started yesterday in which case: bonne continuation).

Geert.

(Handbook of) EU private international law, 2nd ed. 2016, Chapter 2, Heading 2.2.14.5.

Posted on

One of those groundhog days. The Brussels Court of First instance on Facebook, privacy, Belgium and jurisdiction.

Update May 2019 the Court of Appeal reportedly has referred to the CJEU. However update 19 June 2019 as I explain here, that referral is on limited issues only. The court has rejected jurisdiction against FB Ireland and FB Inc.

I have flagged once or twice that the blog is a touch behind on reporting – I hope to be on top soon.

I blogged a little while ago that the Brussels Court of Appeal had sided with Facebook in their appeal against the Court of first instance’s finding of Belgian jurisdiction. I had earlier argued that the latter was wrong. These earlier skirmishes were in interim proceedings. Then, in February, the Court of First instance, unsurprisingly, reinstated its earlier finding, this time with a bit more substantial flesh to the bone.

First, a bit of Belgian surrealism. In an interlocutory ruling the court had requested FB to produce full copy of the Court of Appeal’s judgment upon which it relied for some of its arguments. Perhaps given the appalling state of reporting of Belgian case-law, this finding should not surprise. Yet it remains an absurd notion that parties should produce copies at all of Belgian judgments, not in the least copies of a Court of Appeal which is literally one floor up from the Court of first instance.

Now to the judgment. The court first of all confirms that the case does not relate to private international law for the privacy commission acts iure imperii (I summarise). Then follows a very lengthy and exhaustive analysis of Belgium’s jurisdiction on the basis of public international law. Particularly given the excellent input of a number of my public international law colleagues, this part of the judgment is academically interesting nay exciting – but also entirely superfluous. For any Belgian jurisdiction grounded in public international law surely is now exhausted regulated by European law, Directive 95/46 in particular.

In finally reviewing the application of that Directive, and inevitably of course with reference to Weltimmo etc. the Court essentially assesses whether Facebook Belgium (the jurisdictional anchor) carries out activities beyond mere representation vis-a-vis the EU institutions, and finds that it does carry out commercial activities directed at Belgian users. That of course is a factual finding which requires au faitness which the employees’ activities.

Judgment is being appealed by Facebook – rightly so I believe. Of note is also that once the GDPR applies, exclusive Irish jurisdiction is clear.

Geert.

 

 

 

Posted on

Planet49: pre-ticked agreement with clauses in terms and conditions.

Update 1 October 2019 the CJEU held today and as expected found such agreements to be invalid. Update 21 March 2019. Szpunar AG opined today and suggests there is no such valid consent. Update 14 November 2018 Hearing took place yesterday – Opinion AG scheduled for 28 February 2019.

A quick flag to those of you following consumer protection and the Directive (2002/58) on privacy and electronic communications. In Case C-673/17 Planet49 the Court of Justice is being asked to clarify to what extent a website which pre-ticks boxes in general terms and conditions (here: to share relevant personal data) is compatible with relevant EU laws.

File of the case here (in Dutch only).

Geert.

 

Posted on

Douez v Facebook: Consumers as protected categories in Canadian conflict of laws.

Postscript 16 May 2018 Tanya Monestier article re same here.

Thank you Stephen Pittel for flagging 2017 SCC 33 Douez v Facebook Inc.  Stephen also discusses the forum non conveniens issue and I shall leave that side of the debate over to him. What is interesting for comparative purposes is the Supreme Court’s analysis of the choice of court clause in consumer contracts, which it refuses to enforce under public policy reasons, tied to two particular angles:

  • ‘The burdens of forum selection clauses on consumers and their ability to access the court system range from added costs, logistical impediments and delays, to deterrent psychological effects. When online consumer contracts of adhesion contain terms that unduly impede the ability of consumers to vindicate their rights in domestic courts, particularly their quasi-constitutional or constitutional rights, public policy concerns outweigh those favouring enforceability of a forum selection clause.’ (emphasis added)

Infringement of privacy is considered such quasi-constitutional right.

  • ‘Tied to the public policy concerns is the “grossly uneven bargaining power” of the parties. Facebook is a multi-national corporation which operates in dozens of countries. D is a private citizen who had no input into the terms of the contract and, in reality, no meaningful choice as to whether to accept them given Facebook’s undisputed indispensability to online conversations.’

With both angles having to apply cumulatively, consumers are effectively invited to dress up their suits as involving a quasi-constitutional issue, even if all they really want is their PSP to be exchanged, so to speak. I suspect however Canadian courts will have means of sorting the pretended privacy suits from the real ones.

A great judgment for the comparative binder (see also Jutta Gangsted and mine paper on forum laboris in the EU and the US here).

Posted on

Wiseley v Amazon: on consumer contracts, click-wrap and putative laws.

Thank you Jeffrey Neuburger for flagging Wiseley v Amazon in the US Federal Court of Appeal (9th circuit). Jeffrey has excellent overview and analysis so I will suffice with identifying a few tags: the issue of click-wrap agreements (when does one agree to GTCs contained in pop-ups and hyperlinks and the like); application of a putable law to a contract (the von Munchausen or ‘bootstrap’ principle); comparative dispute resolution law: how would EU law look at the issues? Have fun.

Geert.

 

%d bloggers like this: