New Year, new tort of misuse of private information
23 January 2014
Vidal Hall and Ors v Google Inc  EWHC 13 (QB) – read judgment
A group of UK Google users called ‘Safari Users Against Google’s Secret Tracking’ have claimed that the tracking and collation of information about of their internet usage by Google amounts to misuse of personal information, and a breach of the Data Protection Act 1998. The Judge confirmed that misuse of personal information was a distinct tort. He also held that the English courts had jurisdiction to try the claims.
Mr Justice Tugendhat’s decision was on the basis that (1) there was a distinct tort of the misuse of private information (2) there was a serious issue to be tried on the merits in respect of the claims for misuse and for breach of the DPA; (3) the claims were made in tort and damage had been sustained in the jurisdiction and (4) England was clearly therefore the most appropriate forum for the trial.
The underlying Claim
The Claimants further allege that they had suffered damage in the form of acute distress and anxiety. That anxiety is said to be as a result of their personal information being used to generate personalised advertisements on their computer screens, in particular because of the risk that sensitive facts about them might have been revealed to others who looked at their screens.
There was no dispute that Google has faced regulatory sanctions in the US following discovery of how it collected information from Safari Browsers, and that Google had been fined the unprecedented sum of $22.5m by the Federal Trade Commission for misrepresenting to Safari users that it would not place tracking cookies or serve targeted advertisements to them. Google had also paid $17m to settle claims brought attorney generals for 38 States. The Claimants argued that Google’s past and present behaviour demonstrated an “institutionalised disregard for both the privacy of its billions of individual users and for the regulatory regimes of the countries in which it operates.” Accordingly, an injunction was needed as a part of the substantive relief sought.
The applicable Test – CPR PD 6B para.3.1
3.1 The claimant may serve a claim form out of the jurisdiction with the permission of the court under rule 6.36 where –
(2) A claim is made for an injunction ordering the defendant to do or refrain from doing an act within the jurisdiction.
(9) A claim is made in tort where (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction.
Google sought a declaration that the English Court did not have jurisdiction, and the earlier service of the claim form in the US on them should be set aside.
The Judge summarised the requirement under the CPR for a good arguable case and for a serious issue to be tried on the merits of each claim.
The Judge held that the fact that Google had on other occasions interfered with people’s privacy rights was not a basis on which the court could contemplate issuing an injunction here. It was very unlikely that a court would allow the Claimants to adduce evidence of alleged wrongdoing by Google against other individuals, particularly given that it had occurred outside of England and Wales. He held that there could be no real dispute that the claim for breach of confidence was not a claim in tort and so did not fall within para.3.1(9).
With regards to the misuse of private information, Mr Justice Tugendhat acknowledged that there was no general ‘tort of invasion of privacy.’ However, he cited Lord Nicholls in Campbell v MGN Ltd  UKHL 22 to the effect that while the origin of the court’s protection against the wrongful use of private information lay in the equitable action of breach of confidence based on an initial confidential relationship, the “essence of the tort is better now encapsulated as misuse of private information.” He went onto identify a number of cases in which misuse of confidential information had been referred to as a ‘tort’ – in particular OBG Ltd v Allan and Douglas v Hello  UKHL 21. He cited Lord Nicholls in OBG as authority for the misuse of confidential information as encompassing two distinct causes of action protecting two different interests – namely “privacy” and “secret (‘confidential’) information.” He concluded that there was a distinct ‘tort of misuse of private information,’ which was a tort within the meaning of PD 6B para.3.1(9).
The Judge went onto hold that there was a claim for damage within the meaning of para.3.1(9)(a). ‘Damage’ was to be given its natural and ordinary meaning, namely “damage which was properly characterised as such and recoverable in the context of the tort in question.” Damages for distress were recoverable in claims for misuse of private information, and for claims under the Protection from Harassment Act 1997. Damage did not also have to be confined to physical or economic harm. In any event, the claim for misuse of private information would also fall within para.3.1(9)(b) because the damage resulted from an act committed within the jurisdiction, namely the publication of the advertisements on the Claimants’ screens.
As for the claim for breach of the DPA, Mr Justice Tugendhat held that the Claimants had a sufficiently arguable case their alleged ‘moral damage’ i.e, stress and anxiety, could amount to sufficiently serious damage to engage their rights under ECHR Article 8. Again, the Claimants could rely on para.3.1(9) in respect of the DPA claim.
The Judge held it would not be just to set aside service on the ground that ‘the game was not worth the candle’ because the costs of continuing the litigation would be out of proportion to any likely damages. He reiterated that he had found there to be a good arguable case that the Claimants’ Article 8 rights were engaged: accordingly for a breach for an ECHR right there was a right to an effective remedy. Finally, he held that the Claimants had established that there were sufficiently serious issues to be tried as to whether the relevant information was ‘private’ and ‘personal.’
Mr Justice Tugendhat concluded that the Claimants had clearly established that England was the appropriate jurisdiction in which to try the case. He noted that the focus of attention was likely to be on the damage alleged to have been suffered and that bringing proceedings in the US would be likely to be very burdensome for the Claimants. He concluded that “The issues of English law raised by Google Inc are complicated ones, and in a developing area…it would be better for all parties that the issues of English law be resolved by an English court.“
The significance of this judgment of course lies partly in the chance that Google will be found liable at the substantive proceedings – this would clearly be a landmark case for internet privacy especially as Google defeated a near identical challenge brought in America. The definition of browsing data as personal and private information is in particular likely to prove a serious issue at the full hearing.
However, it also represents a considered decision by the High Court first that there is a separate cause of action for misuse of such information, which should be protected solely on the basis of its personal nature, and secondly such an action is a tortious rather than an equitable cause of action.
The bifurcation of the traditional action of breach of confidence into a redefined breach of confidence (excluding personal information) and breach of confidence i.e. privacy noted by Mr Justice Tugendhat is comparatively recent. An important landmark in this process was indeed the House of Lords’ decision in Campbell v MGN Ltd. Here Lord Hoffmann noted that “English law has adapted the action for breach of confidence to provide a remedy for the unauthorised disclosure of personal information … this development has been mediated by the analogy of the right to privacy conferred by article 8 of the European Convention on Human Rights.” As Mr Justice Tugendhat noted, there is still also no tort of privacy per se. However, there has been a judge led creation of something approaching a privacy cause of action. This judgment therefore represents a further significant step towards the carving out of a legally distinct common law action for misuse of personal information. This may put further pressure for Parliament to consider what should be the appropriate boundaries for the protection of privacy and for the use of browsing data.
Secondly, there had to date only been limited explicit judicial support for the recognition of the misuse of personal information as a tort, rather than a breach of the equitable principle of good faith. While there has been dicta to that effect, for example by Sir Anthony Clarke MR in Murray v Express Newspapers PLC 2008] EWCA Civ 446, there has also been contrary dicta by Lord Neuberger MR in Imerman v Tchenghuiz  EWCA Civ 908 that “a claim based in confidentiality is an equitable claim.” Indeed, the Court of Appeal stated in Douglas and others v Hello! Ltd and others (No 3)  EWCA Civ 595 that it “the effect of shoehorning this type of claim into the cause of action of breach of confidence means that it does not fall to be treated as a tort under English law.” It is worth noting that the current position in New Zealand and Canada is somewhat unclear, with actions for breach of confidence through the misuse of personal information being held by the Supreme Courts in both countries to be ‘sui generis’ and with conflicting judicial pronouncements as to its equitable or tortious nature.
A good question at this point would be ‘Does it matter?’ – is arguing whether breach of confidence arising out personal, but not otherwise confidential, information an action in equity or tort only an exam question for law finalists? Mr Justice Tugendhat stated that it might be an “anomaly” if the rump ‘breach of confidence ‘ action was equitable, and could not therefore be a ‘tort’ for the purposes of deciding on jurisdiction, however, he recognised that at present breach of confidence could not be a tort capable of making an English court the appropriate forum. Holding that misuse of personal information was a tort is therefore key to his decision that these proceedings fell within the provisions of PD 6B para.3.1. This could be highly significant for other actions brought by UK based customers against foreign located companies for alleged breach of privacy involving their browsing and internet use.
Being a tort will also potentially open the door in this and other cases to damages, even exemplary damages, being awarded as of right, rather than remedies being equitable and therefore discretionary. Mr Justice Eady in Mosely v News Group Newspapers Ltd  EWHC 1777 (QB) held that he could not award exemplary damages for breach of privacy on the basis that breach of confidence was not a tort. There is therefore more than just a name at stake.
Sign up to free human rights updates by email, Facebook, Twitter or RSS