Google’s misuse of private browsing data entitles individuals to damages – Court of Appeal
31 March 2015
Google Inc v Vidal-Hall and others  EWCA Civ 311 (27 March 2015) – read judgment
This case concerned the misuse of private information by an internet provider based in the United States. Google had secretly tracked private information about users’ internet browsing without their knowledge or consent, and then handed the information on to third parties (a practice known as supplying Browser-Generated Information, or ‘BGI’).
The issue before the Court of Appeal was twofold:
- Was the cause of action for misuse of private information a tort, specifically for the purposes of the rules providing for service of proceedings out of the jurisdiction?
- What was the meaning of ‘damage’ in section 13 of the Data Protection Act 1998 (the DPA) and in particular, did it give rise to a claim for compensation without pecuniary loss?
Legal and factual background
Google (US) appealed against a decision by Tugendhat J that the English courts had jurisdiction to try claims issued by the respondent UK internet users for misuse of private information and breach of the Data Protection Act 1998 (see Dominic Ruck-Keene’s post on that decision).
Google’s practice of supplying BGI to advertisers had been contrary to its publicly stated position that such activity would not be performed without users’ consent. The users sought damages under s.13 of the DPA for distress. There was also a claim for aggravated damages on the basis, amongst other matters, that the defendant ought to have been aware of the operation of the Safari workaround during the period relevant to these claims, or was aware of it and chose to do nothing about it.
In order to obtain permission to serve the proceedings out of the jurisdiction, they had successfully established that there was a serious issue to be tried, that their claims came within the “injunction” and “tort” jurisdictional gateways in under the Civil Practice Rules and that England was the correct trial forum. The Court below held that the English courts had jurisdiction to try the claims for misuse of private information and the claim under the Act, but no jurisdiction to hear a claim for breach of confidence because the latter was not a tort.
It was common ground that on a literal interpretation, the users were not entitled to recover damages under s.13 because their claims did not fall within either s.13(2)(a) or s.13(2)(b) of the DPA, but the question was whether the Court of Appeal’s decision in Johnson v Medical Defence Union Ltd  EWCA Civ 262, that “damage” only included “pecuniary loss”, was binding on this court.
The Court’s Decision
The Court of Appeal dismissed the appeal. What was said by Buxton LJ in Johnson v MDU as to the proper interpretation of section 13 of the DPA “was obiter dicta and not binding on this court”.
The question of whether misuse of private information was a tort is a complicated one. As the Master of the Rolls said,
Fifteen years have passed since the coming into force of the Human Rights Act 1998 (the HRA) in October 2000, which incorporates into our domestic law the European Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention). And it is a decade now since the seminal decision of the House of Lords in Campbell v MGN  2 AC 457. The problem the courts have had to grapple with during this period has been how to afford appropriate protection to ‘privacy rights’ under article 8 of the Convention, in the absence (as was affirmed by the House of Lords in Wainwright v Home Office  2 AC 406) of a common law tort of invasion of privacy.
Surely, it was argued, giving some redress for misuse of private information would address “the tension between the requirement to give appropriate effect to the right to respect for private and family life set out in article 8 of the Convention and the common law’s perennial need (for the best of reasons, that of legal certainty) to appear not to be doing anything for the first time”. The Court perceived drawbacks in this proposal, mainly because misuse of private information, otherwise conceptualised as breach of confidential information, has in the past been treated as an equitable wrong, not a tort. Its legal basis is therefore very different from an infringement of privacy rights. These are still two separate and distinct causes of action: an action for breach of confidence; and one for misuse of private information. Nevertheless, it is also also the case that the action for misuse of private information has been referred to as a tort by the courts.
As for the question of “damages” under Section 13 DPA, whilst the Court acknowledged that the Data Protection Directive under which the DPA was passed recognised the existence of “moral damages”, this was not a familiar concept in the UK. It encapsulates a right to compensation for breach of an individual’s non-pecuniary rights. Nevertheless, the natural and wide meaning of “damage” in art.23 included “moral”, non-pecuniary damage, such as distress.
Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage). It is the distressing invasion of privacy which must be taken to be the primary form of damage (commonly referred to in the European context as “moral damage”) and the data subject should have an effective remedy in respect of that damage. Furthermore, it is irrational to treat EU data protection law as permitting a more restrictive approach to the recovery of damages than is available under article 8 of the Convention. It is irrational because […] the object of the Directive is to ensure that data-processing systems protect and respect the fundamental rights and freedoms of individuals “notably the right to privacy, which is recognized both in article 8 of the [Convention] and in the general principles of Community law”.
The enforcement of privacy rights under article 8 of the Convention has always permitted recovery of non-pecuniary loss. Furthermore, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union make specific provision for the protection of personal data (paras 70-79). It followed that, if interpreted literally, s.13(2) had not effectively transposed art.23 of the Directive into domestic law. Despite the Marleasing principle, s.13(2) could not be interpreted so as to be compatible with art.23 because such a construction would be too strained and it would alter a fundamental feature of the legislation, which even the Marleasing principle did not permit. Article 47 of the Charter required domestic courts to disapply domestic provisions which conflicted with EU requirements for an effective remedy. What was required to make s.13(2) compatible with EU law was the disapplication of the entire section, with the result that compensation would be recoverable under s.13(1) for any damage suffered through contravention by a data controller of any of the Act’s requirements.
It is interesting that the respondents’ success in this case rested more securely on the basis of the EU Charter of Fundamental Rights rather than Article 8 ECHR. The rights in the Charter are only engaged where the matter in question involves EU law; this is a classic case where the basis of the action, misuse of data, involved the relevant Directive and the legislation implementing it, the DPA. Which was found to be deficient because it failed to provide redress as required by the privacy protecting provisions of the Charter.
Now that it has been established, both at first instance and in the Court of Appeal, that this country is the appropriate jurisdiction in which to try the case, it will be interesting to see how much by way of damages will be awarded the claimants should they succeed on the merits. In any event, the outcome of this hearing spares them the very considerable expense of bringing proceedings in the United States.
Sign up to free human rights updates by email, Facebook, Twitter or RSS