Google Inc v Vidal-Hall [2015] EWCA Civ 311

Facts

The claim was brought by a number of individuals who had been using Apple’s Safari browser to access the internet. They became aware that Google were collecting information about their internet usage without their knowledge or consent through the use of cookies.

The claimants issued proceedings in 2013 for a misuse of private information, breach of confidence and a breach of the Data Protection Act 1998 (DPA). In particular they sought compensation for distress under Section 13 of DPA which provides that a claim can be brought where a breach causes “damage and distress” and the Courts have to date interpreted damage as requiring some pecuniary loss.

Held

The decision of the Court of Appeal however, states that there is no requirement under Section 13 for financial loss to be suffered before a claim can be made. Accordingly it now appears that it will be possible for a Claimant to bring a claim for compensation where a breach of the DPA has caused them distress.

The Court of Appeal considered that the way in which the DPA had previously been interpreted was incorrect and was in conflict with the EU Charter of Fundamental Rights. The Court considered that the wording Section 13 should be given a wide meaning so as to include both material and non-material damage. As a result, if an individual can demonstrate that a breach of the DPA has caused them distress, they will be entitled to bring a claim under Section 13. The removal of the requirement for pecuniary loss therefore dramatically widens the scope of those individuals who would be entitled to bring a claim.

What can we learn?

  • This decision has widespread implications for all data controllers and changes the way in which the Data Protection Act will be enforced
  • Those data controllers processing sensitive personal data will be particularly at risk given the nature of the data they hold and the likelihood of distress in the event of a breach. In particular, this decision could have severe implications for those working in the health sector particularly given the ICO’s concerns about DPA
  • compliance in the sector generally and the likely distress caused if any health data were to be lost
  • Furthermore, in a circumstance where a data breach involving thousands of individuals occurs, this may now result in thousands of small claims for breaches of the DPA being lodged in the Courts
  • The Court in Vidal-Hall also determined that a breach of the DPA was a tort. This decision may well therefore lead to a number of further challenges in relation to Section 13, including issues relating to vicarious liability
  • The Information Commissioner has been trying to drive forward improved compliance with the DPA over recent years and this decision has significantly shifted the power in favour of data subjects in being able to enforce their DPA rights. Google were refused permission to appeal to the Supreme Court but it remains to be seen whether they will seek permission to appeal in order to clarify the issues within the Judgment given the particular importance to them of cyber security. Unless and until the matter reaches the Supreme Court, all data controllers need to be aware of this change in the law and must do all they can to ensure that DPA compliance is prioritised given the significant extra risk that a breach of the DPA now holds