[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	England and Wales High Court (Queen's Bench Division) Decisions
You are here: BAILII >> Databases >> England and Wales High Court (Queen's Bench Division) Decisions >> Mosley v Google Inc & Anor [2015] EWHC 59 (QB) (15 January 2015) URL: http://www.bailii.org/ew/cases/EWHC/QB/2015/59.html Cite as: [2015] EMLR 11, [2015] EWHC 59 (QB)

[New search] [Printable RTF version] [Help]

IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION

		Royal Courts of Justice Strand, London WC2A 2LL
		15/01/2015

MR. JUSTICE MITTING :

1. On 28th March 2008, a prostitute took video footage of the claimant on a concealed camera provided to her by a News of the World journalist while he was engaged in private sexual activity in a flat in Chelsea. Still images from the footage were published prominently in the News of the World newspaper on 30th March 2008, and edited footage was displayed on the News of the World website on 30th and 31st March 2008. The newspaper and website were viewed by millions of people.
2. After a trial in July 2008, in a judgment handed down on 24th July 2008, Eady J found that the claimant had a reasonable expectation of privacy in relation to sexual activities which had been infringed by publication of the images and footage, and awarded him £60,000 compensatory damages and a permanent injunction restraining NGN Limited, publishers of the News of the World, from republishing them. No injunction was made against persons who were not parties to the action.
3. The claimant hoped that the successful outcome of his litigation and the deterrent effect which it would have on persons minded to republish the images or footage would lead to a gradual loss of interest in these events. To a degree, this has happened; but persons other than NGN still maintain posts of the images on websites accessible by search engines on the internet.
4. Google Inc, a US corporation incorporated in Delaware, operates the most commonly used search engine in the United Kingdom and within the European Economic Area. It has a policy of blocking access to individual Uniform Resource Locators (in common parlance, precise website addresses or pages) when identified to them by the claimant and his solicitors. This has been effective in relation to each such site. But as the claimant's solicitor, Mr. Crossley, has demonstrated in paragraph 28 of his third witness statement of 12th December 2014, it is a Sisyphean task; even when a number of sites are blocked, many remain and some appear anew. It is at least arguable that this means of blocking access to the images is insufficiently effective to secure their disappearance from view.
5. By a claim form issued on 23rd July 2014, the claimant claimed damages and injunctive relief against Google Inc and its wholly owned UK subsidiary, Google UK. Permission to serve the claim form on Google Inc was granted by Master Fontaine on 1st August 2014. Both defendants then applied to strike out the claim and/or for judgment to be entered in their favour on the basis that it had no real prospect of success.
6. The claim against Google UK has been, or will shortly be, discontinued. I need, therefore, only consider that against Google Inc (which I will refer to hereafter as Google).
7. The claim is put in two ways:

(1) At common law, for misuse of personal information by publishing it, by the means by which Google software directs searches to website addresses displaying the images;

(2) Under sections 10 and/or 13 and 14 of the Data Protection Act 1998.

8. For a variety of reasons canvassed in the course of argument, the first claim is, from the point of the view of the claimant, at best deeply problematic. Both parties have sensibly accepted my suggestion that I should not determine Google's application in relation to it, but either stay this part of the claim or order the second part to be determined as a preliminary issue.
9. I think that the right course is to stay it. In that way, it can only proceed if, on application by the claimant, following determination of the remainder of his claim, he can persuade a court that he has a viable claim on the first basis which should proceed to trial. If he succeeds on the remainder of his claim, he is unlikely to think it sensible to revive the first basis of claim, and a court would be unlikely to permit him to do so, for it would serve no purpose. If he fails, I strongly doubt that the first basis of claim would be or become viable.
10. The Data Protection Act 1998 was enacted to give effect to Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995, "the Data Protection Directive". Important policy considerations to which the Directive gives effect are set out in Recitals (2) and (10).

"(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals".

"(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community."

11. The first of the two principal objectives of the Directive are set out in Article 1.

"1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data".

12. Subject to exceptions which are not relevant for present purposes, Member States are required to prohibit the processing of personal data concerning sex life (see Article 8.1).
13. "Processing of personal data" is defined in Article 2(b) as "any operation or set of operations which is performed upon personal data whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction".
14. The Directive applies to the processing of personal data wholly or partly by automatic means (see Article 3.1). Data must be processed by someone. That person is known as a "controller", as defined by Article 2(d), "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data".
15. The Data Protection Directive sets out principles which must govern data processing, and, by Article 22, requires Member States to provide a judicial remedy for any breach of the rights guaranteed by national law. With one qualification, which is the subject of a pending appeal about the transposition of Article 23.1 of the Directive into section 13 of the 1998 Act, that Act transposes the Directive into UK law in a manner which is consistent with it.
16. The definitions of "data", "data processing" and "data controller" in section 1 are, effectively, identical. Sensitive personal data includes information as to a person's sexual life (see section 2(f)). The principles are set out in Schedule 1.
17. Sections 10, 13 and 14 set out the means by which anyone concerned about the processing of his personal data, including sensitive personal data, may seek redress.

"10. Right to prevent processing likely to cause damage or distress.

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons –

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted"….

"(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent) that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit. "

Subsection (3) provides for a response by the data controller.

18. "13. Compensation for failure to comply with certain requirements.

"(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage."

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if --

(a) the individual also suffers damage by reason of the contravention, or

(b) the contravention relates to the processing of personal data for the special purposes."

Those are not relevant for present purposes.

19. "14. Rectification, blocking, erasure and destruction.

(4) If a court is satisfied on the application of a data subject --

(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances, the court may order the rectification, blocking, erasure or destruction of any of those data".

20. By two notices served on 20th December 2011 and 18th June 2014, the claimant's solicitors required Google to cease processing the images under section 10 of the 1998 Act. Google responded that it was not a data controller and that the notices did not identify the personal data in respect of which it was given or the steps required to cease processing it.
21. Until 13th May 2014, when the judgment of the Grand Chamber of the Court of Justice was handed down in Google Spain SL v. Agencia Espanola de Proteccion de Datos, [2014] QB 1022, "Costeja", the general view was that an internet service provider such as Google was not a "controller" of data even though it processed it (see, for example, the opinion of the Advocate General in Costeja, at paragraph 100).
22. The Grand Chamber established unequivocally that it was, for the reasons which it explained in paragraphs 21, 28, 33 to 34, and 38 of its judgment. Its conclusion is set out in paragraph 41.

"It follows from all the foregoing considerations that the answer to question 2(a) and (b) is that Article 2 (b) and (d) of Directive 95/46 are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as 'processing of personal data' within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the 'controller', in respect of that processing, within the meaning of Article 2(d)".

23. Mr. White Q.C., for Google, therefore, sensibly concedes in this case that Google is the data controller for the purpose of the 1998 Act and, in particular, of section 10.
24. On a straightforward reading of section 10, provided that the claimant proves that he has suffered or is suffering substantial unwarranted damage or distress as a result of the processing of his personal data by Google (as he says he has) and has given written notice to Google (as he has done) and Google do not advance any reason for stating that the notice is unjustified, the claimant is entitled to ask the court to order Google to take such steps as it thinks fit to comply with the notice and the court is entitled so to order.
25. Apart from the reasons of principle set out below, Google does not give any reason why the notice is unjustified. The claimant's assertion that he has suffered substantial unwarranted distress is plainly capable of belief, and, if so, founding the remedy which he seeks. Subject, therefore, to Google's argument of principle, the claimant's claim for relief under section 10 is at least reasonably arguable.
26. His claim for monetary compensation and relief under sections 13 and 14 depends on proof of damage, as to which there is a pending appeal to the Court of Appeal in another case. I propose to stay that part of his claim until that appeal has been decided.
27. Google's objections of principle are founded on Directive 2000/31/EC of the European Parliament and of the Council on 8th June 2000, the E-Commerce Directive. The principal objective of this Directive is identified in Recital (2) and Article 1.1.

"(2): The development of electronic commerce within the information society offers significant employment opportunities in the Community, particularly in small and medium-sized enterprises, and will stimulate economic growth and investment in innovation by European companies, and can also enhance the competitiveness of European industry, provided that everyone has access to the Internet."

28. Article 1.1:

"This Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between the Member States."

29. The Directive applies to, amongst others, internet service providers such as Google who facilitate the obtaining of information provided by others via the internet. It is unnecessary to set out the somewhat technical definitions which achieve that result because it is common ground that it is so.
30. It provides a significant degree of protection for them in section 4. Article 12 applies to internet service providers who merely provide a conduit for the flow of information. Article 14 applies to those who store information. Article 13 applies to internet service providers such as Google who operate a search engine.
31. To appreciate its effect it is necessary to understand how a search works. It has been helpfully explained by Mr. Barker, Google's solicitor, in section two of his first witness statement of 29th October 2014. There are about 60 trillion web pages posted onto the internet of which about 30 billion are indexed and so accessible via a search engine. Over 1.2 trillion searches a year are made. Each web page is identified by a unique string of characters known as the Uniform Resource Locater.
32. So, too, are images deployed on a web page. As this case only concerns images I will confine the remainder of the explanation to images. A person searching for an image will click on to a "thumbnail" of the image; a copy of the original reduced in size and definition so as to reduce the computing power required to identify and display it. The "thumbnail" is stored in a "cache". All this is done automatically.
33. Subject to recent steps which have been devised to block access to child sexual abuse imagery, Google exercises no control over the content of images displayed on the website and cached. When an internet user keys in search words, "thumbnails", if relevant, may be displayed. Searchers can then click on the "thumbnails" and see displayed a full-sized copy of the original image. The order in which "thumbnails", like other material, is displayed in response to a search is determined by an algorithm without human intervention.
34. Article 13 affords legal protection to internet service providers such as Google who "cache" information and images. Article 13:

"Caching". 1: Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients of the service upon their request, on condition that:

(a) the provider does not modify the information;

(b) the provider complies with conditions on access to the information;

(c) the provider complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry;

(d) the provider does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and

(e) the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement."

35. That conditional exemption is subject to a proviso set out in Article 13.2:

"This Article shall not affect the possibility for a court or an administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement."

36. Member States are also prohibited from imposing a general obligation to monitor the internet by Article 15:

"No general obligation to monitor. 1. Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity."

37. Mr. White submits that the effect of these provisions is conditionally to exclude legal liability on an internet service provider for information and images retrieved by a user via a search engine. A decision of the Court of Appeal under Article 12, the "mere conduit" provision upholding the reasoning of Kenneth Parker J in British Telecom plc and The Culture Secretary [2011] 3 CMLR 5 at paragraph 102, supports his proposition and binds me.
38. Kenneth Parker J was dealing with intellectual property rights, and in that context said:

"It seems to me, particularly in the light of that legislative history, that liability 'for the information transmitted' is a carefully delineated and careful concept. As regards copyright material, this language is broadly contemplating a scenario in which a person other than the ISP has unlawfully placed the material in the public domain or has unlawfully downloaded such material, and a question then arises whether the ISP, putatively a mere conduit for the transmission of the information, also incurs a legal liability in respect of the infringement. That liability could take the form of a fine (in criminal or regulatory proceedings) or damages or other compensation payable to the copyright owner, or some form of injunctive relief."

39. He considered that the effect of Article 12 was to exclude such liability. The Court of Appeal upheld his reasoning at 2012 Business Law Reports 1766, at paragraph 53.
40. Mr. Tomlinson QC, for the claimant, submits that that reasoning does not avail Google in this case for three reasons. (1) Google has modified the images and so does not fulfil the condition in Article 13.1(a); (2) the E-Commerce Directive has no application to the processing of personal data, which is governed exclusively by the Data Protection Directive and the 1998 Act; (3) if it does, the proviso in Article 13.2 applies and either permits or requires the court to provide a remedy to a person whose data protection rights have been infringed.
41. Though others have expressed doubts about Mr. Tomlinson's first proposition, I have no doubt that on the evidence Google does not modify images when it reduces them to "thumbnails". All that it does is to reduce their size and definition. The image conveys precisely the same information and impression to the viewer as does the original. In my judgment, for an image to be modified the information and impression given to a viewer must be altered by, for example, the alteration of the image itself or the addition of something, including text, to it.
42. His second and third points are of more substance. Recital 14 of the E-Commerce Directive states:

"The protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data....these Directives already establish a Community legal framework in the field of personal data and therefore it is not necessary to cover this issue in this Directive in order to ensure the smooth functioning of the internal market, in particular the free movement of personal data between Member States; the implementation and application of this Directive should be made in full compliance with the principles relating to the protection of personal data, in particular as regards unsolicited commercial communication and the liability of intermediaries; this Directive cannot prevent the anonymous use of open networks such as the Internet."

43. Effect to that policy is given by Article 1.5(b) which states:

"This Directive shall not apply to.... (b) questions relating to information society services covered by Directives 95/46/EC...."

44. The issue was not addressed by the Grand Chamber in Costeja but the Advocate General did refer to the E-Commerce Directive in his opinion at paragraphs 36 and 37. If, as Mr. White contends, Google could have been under no legal liability as "controller", the conclusion reached by the Grand Chamber is at least inconsistent with that contention.
45. Two conclusions seem to me to be possible: (1) Mr. Tomlinson's primary submission is right. The Data Protection Directive provides, subject to one final point on monitoring, a comprehensive and exclusive code governing the obligations of internet service providers; (2) the two Directives must be read in harmony and both, where possible, must be given full effect to. This was the opinion of the Italian Court of Cassation in Milan Public Prosecutor's Office v Drummond, 12th December 2013, at paragraph 7.4.
46. My provisional preference is for the second view. Leaving aside legal niceties, what matters is whether or not a person whose sensitive personal data has been wrongly processed by an internet service provider can ask the court to order it to take steps to cease to process that data.
47. Article 22 of the Data Protection Directive, section 10 of the Data Protection Act, and Article 13.2 of the E-Commerce Directive are as one in permitting it, and Article 18 of the E-Commerce Directive requires that a judicial remedy is available:

"Member States shall ensure that court actions available under national law concerning information society services' activities allow for the rapid adoption of measures, including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved."

48. Whichever way this interesting issue is to be decided, the claimant plainly has a legal remedy which the court may grant.
49. Mr. White's final submission is that on the facts Article 15 of the E-Commerce Directive prohibits the making of the orders sought because what the claimant requires amounts to general monitoring. At first blush, the prohibition on general monitoring does not apply to monitoring in a specific case. This impression is supported by Recital (47) of the E-Commerce Directive:

"Member States are prevented imposing a monitoring obligation on service providers only with respect to obligations of a general nature; this does not concern monitoring obligations in a specific case and, in particular, does not affect orders by national authorities in accordance with national legislation."

50. However, the jurisprudence of the Court of Justice suggests otherwise. In L'Oreal SA and eBay International AG [2012] Bus LR 1369, at paragraph 139, the court stated:

"First, it follows from article 15(1) of Directive 2000/31, in conjunction with article 2(3) of Directive 2004/48, that the measures required of the online service provider concerned cannot consist in an active monitoring of all the data of each of its customers in order to prevent any future infringement of intellectual property rights via that provider's website."

51. This lead the General Court to discharge an order requiring the installation of a filtering system to prevent file sharing in breach of copyright in SABAM (No.1) C-70/10, 24 November 2011, [2012] ECDR 4, because it involved active observation of all electronic communications conducted on the network.
52. It should be noted, however, that the Grand Chamber in L'Oreal also stated, at paragraph 144, in relation to trade mark infringement that:

"In view of the foregoing, the answer to the tenth question is that the third sentence of article 11 of Directive 2004/48, must be interpreted as requiring the member states to ensure that the national courts with jurisdiction in relation to the protection of intellectual property rights are able to order the operator of an online marketplace to take measures which contribute, not only to bringing to an end infringements of those rights by user of that marketplace, but also to preventing further infringements of that kind. Those injunctions must be effective, proportionate, dissuasive and must not create barriers to legitimate trade."

53. In my judgment, no lesser standard is to be expected in upholding the rights of individuals to have sensitive personal information lawfully processed. The evidence which I have is not such as to permit a judgment to be made now on whether or not the steps required by the claimant would involve monitoring in breach of Article 15(1) of the E-Commerce Directive.
54. Given that it is common ground that existing technology permits Google, without disproportionate effort or expense, to block access to individual images, as it can do with child sexual abuse imagery, the evidence may well satisfy a trial judge that it can be done without impermissible monitoring. Accordingly, even if monitoring is not permissible in a data protection case, as to which I express no view, the claimant has a viable case on this issue, which might well succeed.
55. For all of those reasons, in my judgment, the claimant's primary case on the issues which I have identified is not such that it has no real prospect of success. On the contrary, it seems to me to be a viable claim which raises questions of general public interest, which ought to proceed to trial.
- - - - - - - - - -