The Court of Appeal has issued a judgment that could make it much easier for individuals who are adversely affected by breaches of data protection law to bring claims for compensation.

The Appeal, brought by Google Inc. (Google), concerned two issues:

  1. Was the cause of action for misuse of private information a tort, specifically for the purposes of the rules providing for service of proceedings out of the jurisdiction?
  2. What was the meaning of “damage” in section 13 of the Data Protection Act 1998 (DPA) and, in particular, did it give rise to a claim for compensation without pecuniary loss?

​Previously, under Section 13(2) of the DPA, individuals in the UK could only bring a claim for distress if they also suffered pecuniary damage. The Court has held, however, that the DPA did not properly transpose the 1995 EU Data Protection Directive (Directive) into UK law. As this meant that, contrary to the EU Charter, the individuals were denied  an effective remedy, Section 13(2) should be dis-applied.

Background

Three individuals, who accessed the Internet using their Apple Safari browser, complained that Google had collected private information about their Internet usage without their knowledge or consent. The claimants alleged that Google had collected the information using cookies and that this had allowed Google to recognize the browser sending the information. Google then allegedly used this information as part of its commercial offering to advertisers, allowing targeted or tailored marketing based on the claimants’ Internet browsing activities a practice known as supplying Browser-Generated Information, or BGI. The claimants argued that the tracking and collation of their information was contrary to Google’s publicly stated position that such activity could not be conducted for Safari users unless they had expressly consented. The three claimed that the misuse of their private information breached the DPA and sought compensation under Section 13 of the DPA for damage and distress.

In the High Court, the case centred on jurisdictional issues and whether the English court had jurisdiction to try the claimants’ claims. The claimants had been granted permission by the lower court to serve a claim form on Google in California. Google applied  to the High Court for an order declaring that the English court has no jurisdiction to try these claims. One of the grounds relied upon by the claimants to allow service of the claim out of jurisdiction was that a claim could be made in tort where (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction. In relation to this ground, Google claimed that (a) the cause of action is not a “tort”; (b) “damage” means significant physical or economic harm and no such damage is alleged by the claimants; and (c) the act complained of was not committed within the jurisdiction.

The High Court held that the English courts had jurisdiction to try the claims for misuse of private information and the claim under the DPA. When considering these jurisdictional issues, the High Court agreed with the claimants’ arguments that damages for distress  are recoverable in a claim for misuse of private information and  that these damages are not confined to physical or economic harm. Google appealed against the decision by the High Court that the English courts had jurisdiction to try claims.

Compensation Under Section 13 of the DPA for Damage and Distress

Under Section 13(2), an individual is entitled to compensation from a data controller for distress due to a contravention of the DPA by a data controller if (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes (journalism, artistic and literary purposes).

Google argued that the claimants were not entitled to recover compensation. First, the claims did not relate to the processing for any of the special purposes and second, the individuals were not alleging that they suffered pecuniary loss in addition to their distress. Google argued that as the claimants had suffered no material damage and did not meet the requirements of the special circumstances for distress, there was no merit in the case and therefore it should be dismissed.

Previous Cases

There have been a small number of previous cases which have considered whether the claimants are entitled to recover damages  for distress. In Johnson v MDU [2007], Lord Justice Buxton concluded that there was “no compelling reason to think that ‘damage’ … has to go beyond its root meaning of pecuniary loss” and therefore “damage” in Section 13 of the DPA meant only pecuniary loss and  did not include distress. However, in this case, the Court of Appeal concluded that what was said in Johnson v MDU as to the proper interpretation of section 13 of the DPA was obiter dicta and not binding on the Court. Further, in Murray v Big Pictures (UK) Ltd [2008], the Court of Appeal accepted that it was arguable that Section 13 of the DPA permits recovery for non-pecuniary loss.

Court of Appeal Judgment

Misuse of Private Information

Google argued that the original judgment issued by the High Court, which created the Tort for Misuse of Private Information, was incorrect under law and that the Court was bound by an earlier decision of the Court of Appeal in Douglas v Hello! (No 3) [2006], which classified the matter as a Breach of Confidence as opposed to Misuse of Private Information.

The Court of Appeal held that the observations in Douglas v Hello! (No 3) were obiter and agreed with the High Court that that misuse of private information should be recognised as a tort that will support a class action and for the purposes of service out the jurisdiction. The Court held that this does not create a new cause of action but gives the correct legal label to one that already exists.

The Meaning of Damage in Section 13 DPA

The Court of Appeal considered, among other things, whether there can be a claim for compensation without pecuniary loss. In deciding this issue, the Court looked at whether “damage” under Article 23 of the Directive, which the DPA was intended to implement, includes non-pecuniary loss. Article 23 states that “Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”

The Court held that because the Directive purports to protect privacy rather than economic rights, it follows that the aim of the Directive must be to compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress. The Court concluded that Article 23 of the Directive must be given its natural and wide meaning so as to include both material and non-material damage. The Court held that on this interpretation of Article 23 of the Directive, Section 13 of the DPA has not effectively transposed Article 23 into UK domestic law. It held that, because Section 13(2) meant that the individuals in this case were denied an effective remedy for a breach of their rights, as required by Article 47 of the EU Charter, the Court must dis-apply Section 13(2).

The Court dismissed Google’s appeal, holding that the claims raise serious issues which merit a trial.

Whether There is a Serious Issue to be Tried That the BGI is Personal Data Under the DPA

Under Section 1(1) of the DPA, personal data is defined as data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”. Google argued that this definition of personal data does not apply in relation to BGI. The BGI data on its own is anonymous, and it does not name or identify any individual. As Google kept the BGI segregated from other data from which an individual could be identified, the second limb of section 1(1) could not apply either.

The Court of Appeal held that it was clearly arguable that the BGI was personal data. This was supported by the terms of the Directive, an Article 29 WP Opinion and the CJEU’s judgment in Lindqvist [2004]. The Court held that the fact that the BGI data does not name the individual is immaterial as it clearly singles them out, individuates them and therefore directly identifies them. As such, the Court of Appeal held that there was a serious issue to be tried as to whether BGI was personal data. The Court concluded that the High Court judge was not plainly wrong, and the matter would be better resolved at trial.

Next Steps and Potential Implications of the Decision

Google now has the option to appeal the Court of Appeal’s decision to the Supreme Court. If the appeal is refused or Google chooses not to appeal the decision, the claimants can proceed with their damages claim.

This case is significant. This decision not only confirms that misuse  of private information is a tort, but dis-applies Section 13(2) of the DPA on the basis of incompatibility with the Directive. Subject to a possible appeal to the UK Supreme Court, decision paves the way for a group (class) action against Google by millions of Britons.

Some view the judgment as an important step towards recognizing an individual’s right to privacy. Others recognize that the decision has the potential to open the floodgates to compensation claims against data controllers where the individual has suffered distress but no pecuniary loss. While the compensation for distress may be modest, data controllers may find that they need to expend significant resources on defending such claims, especially if a number of individuals are affected.

It makes it all the more important that businesses seek to ensure that they comply with the DPA so as to minimise the potential for damages claims. Organisations that address their data protection compliance now will also put themselves in a much better position as and when the new European Data Protection Regulation comes into force.