google-logoOn 15 January 2015 Mr Justice Mitting gave judgment in only the second English data protection case against Google after the decision in Google Spain.  In Mosley v. Google ([2015] EWHC 59 (QB)), the Court dismissed an application brought by Google to strike out a claim brought by Mr Mosley under sections 10, 13 and 14 of the Data Protection Act 1998, holding at [55] that it was “a viable claim which raises questions of general public interest, which ought to proceed to trial”.


The general background will be very familiar. Nearly seven years ago, Max Mosley’s application for interim injunctive relief against News Group Newspapers for misuse of private information in the publication of images of his sado-masochistic encounters with prostitute was refused on the basis that the dam had already burst – the material was so widely accessible that either Mr Mosley no longer had a reasonable expectation of privacy in relation to it, or it had entered the public domain to the extent that in practical terms there was no longer anything which the law could protect. A few months later, he obtained judgment against News Group together with record damages of £60,000.

Since then Mr Mosley has been engaged on a global campaign to “clean up” these images from the internet. He gave evidence about this to the Leveson Inquiry, estimating then that in the time since the trial he had spent well over £500,000 trying to deal with the consequences of the publication on the internet. Google operated a notice and take-down policy of blocking access to individual URLs when identified to them by Mr Mosley or his solicitors.

The evidence before the Court demonstrated, however, that this had proved a Sisyphean task – even when an individual URL was blocked, many remained and some appear anew. As a result “it is at least arguable that this means of blocking access to the images is insufficiently effective to secure their disappearance from view” [4]. What Mr Mosley really wanted was all and any access to the images themselves to be blocked from the results of a Google search, regardless of the URL on which they appeared.

The decision on 13 May 2014 in Google Spain effected a sea-change. The Grand Chamber established unequivocally that Google was a “data controller” for the purposes of the European data protection regime (as given effect to in this jurisdiction by the Data Protection Act 1998). On the face of it therefore, Google became subject to the duties imposed on it by the Act and the rights of redress created by sections 10 (right to prevent processing likely to cause damage or distress), 13 (compensation), and 14 (blocking) became enforceable against it.

Mr Mosley and his advisers saw their chance, and by a claim form issued on 23 July 2014 Mr Mosley claimed damages and injunctive relief against Google Inc and its wholly owned UK subsidiary, Google UK for: (1) misuse of private information in publishing it by directing searches to website addresses displaying the images, and (2) under sections 10 and/or 13 and14 of the DPA.

The claim against Google UK was discontinued in the course of the hearing, and the claim in misuse of private information (described by the Judge at [8] as “at best, deeply problematic”) was, with the agreement of the parties, stayed. The parts of the DPA claim concerning sections 13, which may depend on proof of damage, were also stayed until the determination of the pending appeal in Vidal-Hall –v- Google. (It is understood that one of the issues in that case will be the consistency of the transposition of Article 23.1 of EU Directive 95/46/EC into UK law. The Directive does not require proof of pecuniary damage, but it was held in Johnson –v- Medical Defence Union that the DPA does.)

That left the section 10 claim, namely the right to prevent processing likely to cause damage or distress.


At the Judge noted that

“On a straightforward reading of section 10, provided that the claimant proves that he has suffered or is suffering substantial unwarranted damage or distress as a result of the processing of his personal data by Google (as he says he has) and has given written notice to Google (as he has done) and Google do not advance any reason for stating that the notice is unjustified, the claimant is entitled to ask the court to order Google to take such steps as it thinks fit to comply with the notice and the court is entitled so to order.” [24]

That was not, however, the end of the matter, because Google argued that the effect of the E-Commerce Directive (2000/31/EC) and in particular Articles 13 and 15 is  conditionally to exclude legal liability on an ISP for information and images retrieved via a search engine.

Article 13 affords legal protection to internet service providers who engage in ‘caching’ on certain conditions including that the ISP: (a) does not modify the information or images concerned; and (e) acts expeditiously to remove or to disable access to material upon obtaining actual knowledge of the fact that material has been removed at source, or access to it disabled, or that a court or administrative authority has ordered such removal or disablement. This conditional exemption is subject to a proviso set out in Article 13.2 which provides that it shall not affect the ability of a court or administrative authority to require the ISP to terminate or prevent an infringement, nor for Member States to establish procedures governing the removal or disabling of access to information.

Further, Article 15 provides that Member States shall not place ISPs providing the services under Articles 12, 13 and 14 (mere conduit, caching, hosting) under a general obligation to monitor the information they transmit or store, nor under a general obligation actively to seek facts or circumstances indicating illegal activity. Google also submitted that the Judge was bound by a decision of Kenneth Parker J in R( British Telecommunications) v. The Culture Secretary [2011] 3 CMLR 98 at [102], (upheld on appeal [2012] Bus LR 1766 at [53]). In that case, the Judge considered that the effect of the ‘mere conduit’ provision in Article 12 was to exclude liability for infringement of copyright.

For Mr Mosley, it was argued that this reasoning did not avail Google for three reasons: (1) in returning ‘thumbnails’ of the images Google had modified them, thus falling foul of Article 13(a); (2) that the E-Commerce Directive has no application to the processing of personal data; and (3) if it does, the proviso in Article 13.2 applies and either requires or permits the court to provide a remedy to a person whose data protection rights have been infringed.

The Judge rejected the first argument on the basis that reducing the size and definition of the images did not amount to modifying them within the meaning of Article 13(a). The second and third propositions, however were “of more substance”.

In relation to the second argument, Recital 14 of the E-Commerce Directive states that the protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC (the Data Protection Directive which the DPA was enacted to give effect to). The policy statement in Recital 14 is given effect by Article 1.5(b) which states that the E-Commerce Directive shall not apply to questions relating to information society services covered by the Data Protection Directive.

The Judge went on to say (at [45]) that two conclusions seemed to him possible: either the situation is governed solely by the Data Protection Directive (subject to a final point about monitoring) s, subject to a final point about monitoring; or the two Directives must be read in harmony and both, where possible, be given full effect to. Though expressing a “provisional preference” for the second view, the Judge stated at [46] that

“[l]eaving aside legal niceties, what matters is whether or not the person whose sensitive personal data has been wrongly processed by an internet service provided can ask the court to order it to take steps to cease to process that data”.

In that regard, Article 22 of the Data Protection Directive, s10 of the DPA and Article 13.2 of the E-Commerce Directive are as one in permitting it, and Article 18 of the E-Commerce Directive requires that a judicial remedy is available. Accordingly,

“Whichever way this interesting issue is to be decided, the claimant plainly has a legal remedy which the court may grant” [48].

The final potential fly in the ointment, however, was the prohibition on general monitoring in Article 15 of the E-Commerce Directive. Whilst it does not, at first blush, apply to monitoring in a specific case (and Recital (47) says as much) ECJ jurisprudence suggests otherwise. In L’Oreal SA –v- eBay International AG [2012] Bus LR 1369 at [139] the Court had stated that the measures required of an online service provider cannot consist in an active monitoring of all the data of each of its customers in order to prevent any future infringement of intellectual property rights.

As a result, in SABAM (No.1) on 24 November 2011 the General Court had discharged an order requiring the installation of a filtering system to prevent file sharing in breach of copyright, because it involved active observation of all electronic communications conducted on the network. In L’Oreal, however, the Grand Chamber also stated, at [144], in relation to trademark infringement that the applicable Directive must be interpreted as requiring member states to ensure that national courts are able to order the operator of an online marketplace to take measures which contribute not only to the bringing to an end of infringements but also to preventing further infringements.

In light of that, the Judge held at [53] that “no lesser standard is to be expected in upholding the rights of individuals to have sensitive personal information lawfully processed”. However, the

evidence which I have now is not such as to permit a judgment to be made on whether or not the steps required by the claimant would involved monitoring in breach of Article 15(1) of the E-Commerce Directive”.

He continued:

“Given that it is common ground that existing technology permits Google, without disproportionate effort or expense, to block access to individual images, as it can do with child pornography, the evidence may well satisfy a trial judge that it can be done without impermissible monitoring. Accordingly, even if monitoring is not permissible in a data protection case, as to which I express no view, the claimant has a viable case on this issue, which might well succeed [54].

 He concluded:

“For all of those reasons, in my judgment, the claimant’s primary case on the issues which I have identified is not such that it has no real prospect of success. On the contrary, it seems to be to be a viable claim which raises questions of general public interest, which ought to proceed to trial“.


This case is likely to be the tip of the iceberg. In the nearly 15 years since it came into force, the DPA has been woefully under-utilised. Whilst it is true to say that it is a hot contender for the title of most dense and boring piece of legislation, the decision in Google Spain means that it has become impossible to ignore any longer. As this case demonstrates, it may well provide remedies in areas where traditional claims for defamation and misuse of private information do not bite. And it is not just about the right to be forgotten. The DPA can be used to correct the record as well as erase it. Welcome to the Brave New World.

Lorna Skinner is a barrister at Matrix Chambers, specialising in media and information law.