Court of Appeal opens the door to 'distress-only' data breach claims where no financial loss
In an important ruling, the Court of Appeal confirms that misuse of private information is a tort and rules on the meaning of "damage" under s13 of the Data Protection Act ("the DPA"), allowing claimants to recover compensation for "distress" resulting from a breach of the Act without also having to prove pecuniary losses.
Vidal-Hall and others –v– Google Inc  EWHC 13 (QB)
The Court of Appeal has handed down a judgment that makes several notable points on data protection issues: It confirmed that
- misuse of private information is a tort
- claimants may recover damages under the DPA for non-pecuniary losses
- it is strongly arguable that "browser generated information" collected via cookies may be 'personal data'
The recovery of compensation for non-pecuniary losses will have the most obvious impact for data protection practitioners, and is the focus of this note. The effect of this case is that individual data subjects may now seek compensation for breaches of the DPA purely by asserting that they have suffered "distress", despite not suffering financial loss.
Although the courts' approach to awards in "distress-only" cases remains to be seen, the mere possibility of such cases may prove an unwelcome distraction to data controllers.
We expect that this judgment will result in a significant increase in the volume of civil actions brought by individuals under the DPA, and the legal resources expended by businesses in fighting them. Claims could be brought on an individual basis, or as a group (as in Vidal-Hall). We also expect that 'distress' claims might be added to wider claims such as defamation and employment disputes.
As a result, it is more important than ever to guard against breaches of the DPA, even those that may previously have been seen as 'low-level' risk.
The factual background to the appeal is convoluted but essentially the claim in Vidal-Hall stems from the revelation that Google used cookies to collect "browser generated information" ("BGI") from users of Apple's Safari web browser. By collecting BGI, Google was able to track Safari users' internet usage in order to target advertising at those users more effectively. For example, Google might direct adverts for a hotel or airline to a user who had been researching a holiday. Critically, Safari users had not consented to Google's collection of information generated by their browsers. Alongside claims for misuse of private information and breach of confidence, the claimants sought compensation under section 13 of the DPA, on the basis that Google's activities had breached the Act. The claimants did not, however, disclose any financial loss.
Article 23 of the Data Protection Directive (Directive 95/46/EC) required member states to implement provisions allowing a person who has "suffered damage" as a result of a data protection offence (as created by domestic legislation) to obtain compensation from a responsible data controller. The UK implemented this requirement through section 13 of the DPA.
In defining the causes of action available to an individual following a breach of the DPA by a data controller, section 13 draws a distinction between damage and distress. An individual suffering "damage" may recover compensation for that damage from the data controller under section 13(1). In contrast, under section 13(2), an individual suffering "distress" may only recover compensation for that distress where he or she also suffers damage (unless the contravention related to the processing of personal data for journalistic, artistic or literary purposes). In almost all cases, a victim must therefore show pecuniary loss to recover compensation under section 13.
Johnson v MDU  EWCA Civ 262 was previously the leading case on the interpretation of section 13. In Johnson, the High Court rejected the argument that the inability to recover for standalone non-pecuniary losses under the DPA was inconsistent with the requirements of the Directive. The claimant had argued that the term "damage" as used in the Directive was not restricted to pecuniary loss, since it referred to any sort of damage recognised by member states' domestic laws. The Court disagreed and found that there was no compelling reason for the term "damage" to be extended beyond pecuniary loss – meaning that, according to Johnson, section 13(2) DPA was compatible with the Directive.
The Vidal-Hall Judgment
The present judgment relates to the claimants' application to serve proceedings on Google outside the jurisdiction. Since the claimants had disclosed no pecuniary loss for Google's alleged breaches of the DPA, this meant that the Court of Appeal was required to revisit the recoverability of non-pecuniary losses under the DPA.
On this key point, the Court found for the claimants. Since the primary aim of the European data protection regime was to safeguard privacy rather than economic rights, the Court found that it would be odd if a data subject could not recover compensation for an invasion of his or her privacy purely because there was no pecuniary loss. In accordance with this aim, the term "damage" as used in the Directive should therefore be construed to include non-pecuniary losses – meaning that section 13(2) DPA was inconsistent with Article 23 of the Directive.
Given that Parliament had evidently intended to distinguish damage from distress, it was not immediately clear how section 13(2) could be disapplied. But where there is a will, there is a way. The Court's solution was to find that section 13(2) conflicted with the right to privacy enshrined in the EU Charter of Fundamental Rights. Under EU law, the English court was required to ensure an effective remedy for breaches of the Charter. In this case, the remedy was to disapply the offending provision of domestic law – and so section 13(2) bit the dust.
In reaching its decision, the Court was clearly influenced by public policy concerns. The Court found that whilst damages awarded for breaches of the DPA have typically been modest, "the issues of principle are large".
The Court also ruled that it was clearly arguable that the BGI did constitute personal data on the basis that it 'individuates', or singles out the individual, and distinguishes him from others. This was regardless of the fact that i) the BGI did not name the individual and ii) Google asserted that it had no intention of linking the BGI with other data that Google held and which could lead to the individual being identified. The Court did not have to determine the issue finally – only establish that there was a clearly arguable case. If the case does go to a full trial for resolution, then data practitioners can look forward to some valuable guidance on this issue and questions on "identification" more generally.