Last year Google was embroiled in controversy over its circumvention of the Safari browser’s cookie-privacy settings (on the iPhone and beyond). As a result the company paid a $22.5 million fine to settle the case with the US FTC approximately a year ago.
The FTC summarizes the facts that lead to the settlement:
[F]or several months in 2011 and 2012, Google placed a certain advertising tracking cookie on the computers of Safari users who visited sites within Google’s DoubleClick advertising network, although Google had previously told these users they would automatically be opted out of such tracking, as a result of the default settings of the Safari browser used in Macs, iPhones and iPads.
According to the FTC’s complaint, Google specifically told Safari users that because the Safari browser is set by default to block third-party cookies, as long as users do not change their browser settings, this setting “effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie].” In addition, Google represented that it is a member of an industry group called the Network Advertising Initiative, which requires members to adhere to its self-regulatory code of conduct, including disclosure of their data collection and use practices.
Despite these promises, the FTC charged that Google placed advertising tracking cookies on consumers’ computers, in many cases by circumventing the Safari browser’s default cookie-blocking setting. Google exploited an exception to the browser’s default setting to place a temporary cookie from the DoubleClick domain. Because of the particular operation of the Safari browser, that initial temporary cookie opened the door to all cookies from the DoubleClick domain, including the Google advertising tracking cookie that Google had represented would be blocked from Safari browsers.
Those same facts lead to a civil lawsuit in the UK by Apple users, which was filed earlier this year.
Now Google is moving to dismiss the UK case on jurisdictional grounds, arguing that it is not subject to UK privacy laws and that plaintiffs must refile their case in California where Google is based. Google argues, essentially, that UK courts have no jurisdiction over the company.
Making that claim involves a lot of chutzpah (audacity, not guts) on Google’s part.
Under US law foreign companies can be sued if they’re “doing business” in the country or a particular state. There are some additional technical requirements but basically if you’re operating in the US you’re going to be subject to US (and possibly state) laws under so-called “long arm jurisdiction” statutes.
If the tables were turned and Google were a UK company doing business in the US, it could never successfully make the argument it’s trying to make in the UK now. Google’s lawyers know this of course.
Google argues that UK nationals must come to the US and sue Google for privacy violations that happened on British soil. Would then Google argue that US and not UK law should be applied in the case as well? That’s what Google seems to be arguing.
The implications are pretty stunning. Playing them out, it would mean all international disputes involving US-based internet companies would have to be brought in the US and would be governed by US law.
For this reason there is almost zero chance that the UK court will accept and agree with Google’s argument. Doing so would be to effectively deprive UK courts of any authority over Google’s actions or policies in the country. It would, as a practical matter, give Google a sort of “diplomatic immunity” in the UK.
I would thus be shocked if the UK court went along with this.
The UK’s data protection authority apparently can only apply a fine of up to £500,000 ($782,000). The civil claimants’ counsel argues that such minuscule fines would have little impact and that a civil suit is necessary to not only compensate victims but also punish and deter Google from similar “bad behavior” in the future .