Julia Hörnle, Professor of Internet Law, CCLS, Queen Mary University of London[1]
It is now well known that internet users are widely tracked and profiled by a range of actors and the advancements in data science mean that such tracking and profiling is increasingly commercially profitable[2]. This raises difficult questions about how to balance the value of data with individual privacy. But since there is no point in having privacy (or data protection) rights if no redress can be found to vindicate them, it is even more important to investigate how internet users can obtain justice, if their privacy has been infringed. Given the power of Big Tech Companies, their enormous financial resources, cross-jurisdictional reach and their global impact on users’ privacy, there are two main litigation challenges for successfully bringing a privacy claim against Big Tech. One is the jurisdictional challenge of finding a competent court in the same jurisdiction as the individual users.[3] Secondly, the challenge is how to finance mass claims, involving millions of affected users. In privacy claims it is likely that there is significant user detriment, potentially with long-term and latent consequences, which are difficult to measure. This constellation provides a strong argument for facilitating collective redress, as otherwise individual users may not be able to obtain justice for privacy infringements before the courts. In privacy infringement claims these two challenges are intertwined and present a double-whammy for successful redress. Courts in a number of recent cases had to grapple with questions of jurisdiction in consumer collective redress cases in the face of existing provision on consumer jurisdiction and collective redress, which have not (yet) been fully adapted to deal with the privacy challenges stemming from Big Tech in the 21st century.
In Case C-498/16 Max Schrems v Facebook Ireland[4] the Court of Justice of the EU in 2018 denied the privilege of EU law for consumers to sue in their local court[5] to a representative (ie Max Schrems) in a representative privacy litigation against Facebook under Austrian law. By contrast, courts in California and Canada have found a contractual jurisdiction and applicable law clause invalid as a matter of public policy in order to allow a class action privacy claim to proceed against Facebook.[6] In England, the dual challenge of jurisdiction and collective actions in a mass privacy infringement claim has presented itself before the English Courts, first in Vidal-Hall v Google before the Court of Appeal in 2015[7] and in the Supreme Court judgment of Google v Lloyd in November 2021[8]. Both cases concerned preliminary proceedings on the question of whether the English courts had jurisdiction to hear the action, ie whether the claimant was able to serve Google with proceedings in the USA and have illustrated the limitations of English law for the feasibility of bringing a collective action in mass-privacy infringement claims. Read more...