Google has once again come under the privacy spotlight as the EU closely watches US litigation over its use of automatic scanning software which takes keywords from users' e-mails to generate targeted advertising.

The class action proceedings allege that Google's data-mining breaches privacy laws. This follows recent accusations that Google participated in the US National Security Agency's secret surveillance programme, 'PRISM', and the stir caused by Google's implementation of a single privacy policy across all its websites last year.

A legitimate expectation of privacy?

Google's business model is based on the sale of advertisements focussed on individual user behaviour. It achieves this by harvesting users' browsing and now email data. Google sees nothing wrong with the practice and likens it to a secretary opening the office post. It says that people have no legitimate expectation of privacy in information they voluntarily hand over to third parties, emphasising that users' e-mails remain private and highlighting the investment made in automatic encryption to ensure data security.

Critics say they do not expect the Post Office to open their letters, read them and then bombard them with content-related advertising. Whilst perhaps not as heinous as phone-hacking, this practice raises interesting questions for a privacy lawyer. There is a certain amount of trust placed in organisations which provide communication services.

So what would UK law say about this activity? Privacy law has mushroomed in the UK over the last decade, taking our body of law far beyond the principles recognised in Prince Albert's 1849 action to restrain an unauthorised exhibition of prints, to a point where celebrities (such as Michael Douglas and Catherine Zeta-Jones) have been conferred the right to trade in their fame.

Contractual rights of confidence go hand-in-hand with rights under the European Convention on Human Rights ("ECHR") to create a mechanism for the protection of private information. "Private information" is incapable of strict definition. Obligations of confidence and expectations of privacy arise in many ways.

What constitutes protectable private information has to be assessed in accordance with the principles established in ECHR case law. They require a balancing of the competing rights which is usually connected inextricably with the facts at hand, although certain information, such as information about sexual matters or minors, by its very nature often raises a greater expectation of privacy. One right does not automatically take precedence.

Privacy vs. freedom of speech – a question of balance

Article 8 ECHR provides everyone with the right to respect for private and family life, but that right can be interfered with when necessary to protect the rights and freedoms of others, such as the right to freedom of expression in Article 10. That right too is checked by duties and responsibilities, such as the protection of confidential information.

When carrying out the balancing exercise, the courts firstly ask whether there is a reasonable expectation of privacy in relation to the information sought to be protected, then whether the Article 10 right should prevail, for example, if disclosure is in the public interest. A typical scenario involves a newspaper publishing a scandal about a celebrity. Newspapers (as in the Naomi Campbell case against The Mirror) have often argued that they need to disclose private information to correct lies told by a celebrity.

Then there are the 'special relationship' cases. The leading case of McKennitt v Ash involved the singer and her former friend who wrote a book which revealed private information about Loreena McKennitt's personal and sexual relationships. The Court of Appeal held that no express obligation of confidence is needed where there is an existing relationship between the parties and Ms. McKennitt could prevent the publication of the parts of the book which disclosed her confidential information.

How Google and its Gmail users fit into this framework is not so black and white. Do Gmail users have an expectation of privacy in relation to their e-mails? Most people would say they do and rightly so. Most people would also say there is a special relationship between them, akin to the relationship between a person and the Post Office (although no such relationship exists between Google and the user of a different e-mail service). Does that mean that Gmail users can prevent Google from subjecting their communications to an automatic scanning process? It is against the law to interfere with the post, but Google is not impeding e-mail delivery. It says that it is simply scanning e-mails for keywords to make advertising more effective.

Pushing the privacy boundaries

Much of the recent case law has centred around the disclosure of information and celebrities' efforts to prevent salacious information from being disclosed, not so much trading in fame, as seeking to preserve a reputation (as in the unsuccessful attempt by John Terry to protect his reputation from tarnishment). However, the Courts have developed privacy law beyond the disclosure of information to third parties. In the Imerman v Tchenguiz case, in which this author acted for Mr Imerman, the Defendants were accused of breaching Mr Imerman's privacy rights under Article 8 by accessing, downloading or copying and retaining his private information, as well as by disclosing it to various third parties. The Court of Appeal, in joined cases in the Queen's Bench and Family Divisions, held that the Defendants had breached Mr Imerman's privacy rights. It abolished the time-honoured practice in the Family Division referred to as the "Hildebrand rules", which encouraged divorcing couples to raid their spouse's private information, and said that merely retaining private information without its owner's consent was a breach of privacy.

Google is not claiming the right to disclose the content of e-mails to third parties and it seems unlikely that there is any human intervention in the process of scanning e-mails. Google must hold a database of keywords selected from users' e-mails, even if only temporarily, but it is unlikely that such small fragments could constitute confidential information. It is also likely that copies of e-mails will be made as part of the scanning process. Leaving aside questions of copyright infringement and data protection, which are beyond the scope of this article, Google will only breach privacy laws if it does something which goes against the right to respect for private and family life or if it breaches an express or implied obligation of confidence.

In terms of retaining information, this is likely to depend upon how long Google stores any copies it makes of users' e-mails. If copies are made simply as part of the technical process, it seems unlikely that a Court would find on that ground alone that a user's privacy right had been breached, particularly where nobody reads the e-mails and no real harm is inflicted. However, Google is doing more than that. It is using private information to generate targeted advertising from which it generates revenue. When you look at it that way, it looks like a breach of Article 8, whether it is read by a human or not.

Google might argue freedom of expression or the public interest because it is providing more relevant advertising. Google's critics might say that it is neither; it is the generation of revenue from unlawful activity (and a good way of gathering valuable demographic information). Facebook has just settled a class action in America for using, without payment or a chance to opt out, users' details to promote "liked" products and services to friends.

Always read the small print

Then there is the small print. Google says that Gmail users have consented to the automatic scanning of their e-mails by accepting Google's terms and conditions. Ignorance is, of course, no defence or, in this case, sword. Contract law does, however, recognise that there are some terms which are so onerous that, to be enforceable, special notice of them needs to be given prior to the formation of a contract (see Lord Denning's famous comments about red hands pointing to onerous clauses in Thornton v Shoe Lane Parking).

Are Gmail users' Article 8 privacy rights fundamental enough that special notice should be given of a contractual right to breach them? It is certainly an argument worth running. Privacy is now a statutory right. Can Google expect you to waive that right without giving special notice? Google claims that it is ordinary business practice and that e-mail users must expect their communications to be scanned automatically. Most Gmail users have probably noticed that advertisements on their screens seem to relate to the e-mails they send and receive, but how many people think about what Google is doing and would they have signed up to Gmail if they had known?

If all e-mail providers follow this practice, we seem to have little choice, but some would argue that more should be done to draw people's attention to what they are agreeing to and at least provide an opportunity to opt out. Most people would probably expect their Internet surfing to be monitored in some way and would not necessarily have an expectation of privacy in relation to what websites they look at (the use of cookies is a widely known practice and the law now requires users to give their consent to the practice). E-mail users would probably not, however, view their use of a private e-mail account in the same way.

Google might win the US battle by relying on contractual rights, but what of e-mails sent by non-Gmail users to a Gmail account? The non-Gmailer did not give Google its consent, expressly or impliedly, to intercept its communication and there is no contract between them. In a UK Court, Google would have to argue freedom of expression or public interest, but those are very weak arguments.

Privacy lawyers will watch the US litigation closely and Google will probably be contemplating a privacy battle in Europe where freedom of expression rights are not as extensive as they are in America. Meanwhile, Google's application to dismiss a breach of privacy claim in the High Court over its circumvention of privacy settings on Apple's 'Safari' browser will be heard in October. It claims that the UK Court has no jurisdiction because Google operates outside the UK.

If it serves no other purpose, this litigation should at least raise awareness among e-mail users.

A version of this article was previously published in Intellectual Property Magazine.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.