The court of appeal in England recently delivered its judgment in Vidal Hall and Others v Google Inc. It is a case of some significance in the evolving EU jurisprudence on data protection rights, not least because it may be seen as taking a different approach to that adopted in the Irish case of Collins v FBD Insurances.
The case was taken by a number of English claimants who alleged that Google Inc misused their private information by secretly tracking and collating data about their internet usage on their Apple devices in 2011-2012. The claimants alleged that Google exploited a wayround mechanism on the Safari internet browser on their Apple devices, despite publicly stating that such activity could not be conducted unless Safari users gave their consent. The claimants asserted that this constituted a misuse of their private information, and a breach of confidence, as well as data protection laws, under the Data Protection Act 1998 (DPA), as well as the data protection directive 95/46.
Although the claimants were granted leave to serve proceedings out of the jurisdiction, Google Inc sought to set this aside, arguing the claims for misuse of private information and breach of confidence were merely equitable in nature, and that procedural rules did not permit the grant of leave in the absence of a claim grounded in tort. It also argued that the DPA claims were bound to fail, as the claimants could not point to any specific loss or damage as required by the DPA, or, alternatively, if the court concluded that such a claim was actionable, any damages awarded would be minuscule and dwarfed by the costs of the litigation.
Elegant analysis
In an important judgment on data privacy claims, Tugendhat J dismissed most of Google’s arguments, and conducted an elegant analysis of the article eight/misuse of confidential information jurisprudence post
Campbell v MGN
[2004] 2 AC 457. The court determined misuse of private information was a tort, and that damages were recoverable for a breach, including damages for the distress suffered by the claimants upon realising online advertisers had tailored their subsequent advertisements in line with users’ tracked data.
There had been some lingering doubt since Campbell as to whether the misuse of confidential information was simply an aspect of breach of confidence laws, or whether it had assumed an independent life form of its own as a tort, given that the superior courts in England were still firm, as in Wainright, that there was no "general" tort of privacy.
The judge also held that the damage resulted from an act committed within the jurisdiction, namely the publication of the advertisements on the claimants’ screens.
One of the most interesting aspect of the judgment was the judge's determination that there was a serious issue to be tried as to whether claims for compensation under section 13 of the DPA required proof of pecuniary loss. The traditional orthodoxy had viewed this as plain from the wording of the statute, and indeed Feeney J had taken this view in Collins v FBD Insurances when construing the Irish legislation and the directive.
Ordinary meaning
Tugendhat J rejected this claim, and concluded that “damage” under section 13(2) of the DPA should be given its natural and ordinary meaning, and in accordance with article 23 of the data protection directive, so that each of the claimants had an arguable case that they had suffered damage because of Google’s actions, despite not alleging significant physical or economic harm, The judge also held that there was a serious issue to be tried as to whether browser-generated information constituted personal data for the purposes of the DPA claim. He concluded that the claimants had a real and substantial cause of action regarding both claims, and that it would not be just to set aside service on the grounds that “the game was not worth the candle”.
Upheld
The decision was upheld by the court of appeal, in a judgment that is likely to spark quite a degree of practitioner interest. The court disapplied the express wording of section 13 of the DPA on the grounds that this part of the English Act could not be interpreted compatibly either with article 23 of the directive, or articles seven, eight and 47 of the EU Charter of Fundamental Rights (CFR). It held that the main purpose of the directive was to protect privacy, not economic rights, and that it would be strange if it could not compensate persons who had suffered emotional distress but no pecuniary damage, when distress was likely to be the primary form of damage when such a breach occurred.
It is too early to consider the impact of this ruling, which is likely to be appealed, but the dicta of Tugendhat J, and the court of appeal, are strong on the issue of vindication of data privacy rights within the directive and CFR framework. This may prompt review of the Collins decision, which, although based on the Irish DPA, was relied upon by Google, but where the court of appeal construed article 23 through the prism of the CFR.
Pauline Walley is a senior counsel with a practice in civil, criminal and internet litigation.