Google v Vidal-Hall: the rise and rise of data protection rights
In an important decision handed down on Friday, the Court of Appeal confirmed that misuse of private information is a tort, and that claimants may recover damages under the Data Protection Act 1998 (the "DPA") for distress without also proving pecuniary losses.
The claim concerned the collection of alleged private information by Google regarding the claimants'
internet usage. This information consisted of Browser-Generated Information ("BGI") which was collected without the claimants' authorisation. The BGI was collected using cookies, which could recognise the specific browser that was creating the BGI. The claimants alleged that Google then offered their BGI to advertisers who could then target each of them specifically based on their browsing history.
The procedural background to the appeal is convoluted, but essentially the claimants sought and obtained permission to serve their claim out of the jurisdiction on Google in the US. Google unsuccessfully applied to have that permission set aside before Tugendhat J and so appealed the judge's decision to the Court of Appeal.
The appeal raised four issues:
- whether misuse of private information is a tort (this having procedural relevance to whether or not the claimants were entitled to serve Google out of the jurisdiction);
- the meaning of 'damage' under s.13 DPA, and, in particular, whether there could be a claim for compensation without pecuniary loss;
- whether there was a serious issue to be tried that the BGI was personal data under the DPA, justifying service out of the jurisdiction; and
- whether, in relation to the claims for misuse of private information and under the DPA, there was a real and substantive cause of action, again meaning that the Court should exercise its discretion to permit service out of the jurisdiction.
Misuse of private information is a tort
The Court confirmed that misuse of private information is a tort and not an equitable wrong (albeit that it was borne out of the equitable wrong of breach of confidence). The Court reasoned that it was not bound by its decision in Douglas v Hello (No 3)  EWHC 55(Ch), where obiter comments were made to the contrary. Instead it held that in other cases misuse of private information had been referred to as a tort and "…these references cannot be dismissed as a mere loose use of language; they connote an acknowledgment, even if only implicitly, of the true nature of the cause of action".
The meaning of damage under s.13 DPA
It was common ground that the wording of section 13(2) requires a claimant to have suffered pecuniary loss before they can recover any compensation for distress under the DPA (albeit that there is an exception for certain processing by the media). The argument instead focussed on whether or not this provision was compatible with the EU legislation which gave rise to it and, if it was not compatible, whether the Court could do anything about it.
The DPA was intended to implement Directive (95/46/EC) (the "Directive"), which protects the processing of personal data and the free movement of data. Article 23 of the Directive addresses the issue of compensation when a data controller contravenes the Directive, and the Court held that, unlike section 13(2), "… article 23 of the Directive does not distinguish between pecuniary and non-pecuniary damage". As a result, the Court determined that the principles of compensation under Article 23 and damages under s.13 were incompatible, and that s.13(2) had not effectively transposed Article 23 into domestic law.
The Court commented that if 'damage' was restricted to 'pecuniary damage' in the manner that section 13(2) dictates, "…such a restrictive interpretation would substantially undermine the objective of the Directive", namely to protect the rights and freedoms of individuals with respect to the processing of their personal data (and not just the individuals' pecuniary interest in that personal data).
The question then became whether the Court could do anything about this incompatibility. The Court held that s.13 was a "central feature" of the DPA and so the Marleasing principle (whereby directives can be given indirect effect by the courts via purposive interpretation of national legislation) could not be invoked.
The Court then considered whether Article 47 could have an effect in this case. Article 47 provides that everyone whose rights under the Charter of Fundamental Rights have been violated has a right to an effective remedy for that violation. These rights include the right to privacy under Article 7 and data protection rights under Article 8 of the Charter.
The Court concluded that, if the requirement for pecuniary damage in section 13(2) was enforced, the claimants would have no effective remedy even though their fundamental rights under Articles 7 and 8 had been engaged. Section 13(2) was therefore incompatible with Article 47 of the Charter, and so the Court was compelled to disapply it on that basis.
By removing section 13(2) in this way and giving horizontal direct effect to Article 47 of the Charter, the Court held that the Claimants could claim compensation for distress alone (without needing to show any pecuniary loss).
BGI as personal data and a real and substantive cause of action
In the context of this appeal, the Court did not need to determine the issue of whether BGI was personal data; however it held that it was clearly arguable that it was. The Court determined that there were serious issues to be tried and noted that "… these claims raise serious issues which merit a trial...the damages may be small, but the issues of principle are large".
If this decision survives any further appeal (and there are fair grounds for Google to feel hard done-by) the decision is likely to have significant repercussions with respect to data protection claims in the UK. We will have to wait and see just how claimants seek to rely on the precedent, but there can be little doubt that they will do so, and that the recent invigoration of DPA claims and the rise of stand-alone data protection rights is set to continue (as per Google Spain, Mosley).
The fact that pecuniary loss would no longer be a threshold requirement for a DPA claim clearly broadens the scope for such claims. But what will be more interesting (and unpredictable) is how the Court's use of Article 47 to disapply section 13(2) will be relied on in future cases.
For example, the wording of section 10(1) of the DPA allows an individual to object to the processing of his or her personal data only if the processing is likely to cause substantial damage or distress and that damage or distress is unwarranted. Could one argue this is a restrictive interpretation of Article 14 of the Directive? If so, is it possible that Article 47 could kick in again to provide claimants with broader rights to object than section 10 currently provides? Watch this space.