Google has been given permission to appeal an earlier ruling that claims can be brought for distress under the Data Protection Act 1998 (DPA) even where the claimant has suffered no financial loss .
Vidal-Hall & Others v Google – the distress dispute continues
The individual claimants in this case brought proceedings against Google in respect of what has become known as ‘the Safari workaround’ – that is, use of a Google cookie to collect information about, and send targeted advertising information to, internet users who thought that such activity was blocked by the Safari browser unless the user gave consent. Earlier in the year we reported the landmark decision of the Court of Appeal which meant that the claims could progress even though the claimants had suffered no financial loss .
The Supreme Court has now given permission for Google to appeal findings that section 13 (2) DPA (which requires “damage” to be suffered before compensation for distress caused by a DPA breach can be awarded) is incompatible with the Data Protection Directive (95/46/EC) and therefore that section 13 damage can include non-pecuniary loss such as distress; and that section 13 (2) DPA conflicts with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights.
The law currently allows claims from those who suffer distress, but not necessarily financial loss, as a result of data protection breaches. It remains to be seen, when the Google’s appeal goes ahead, whether the Supreme Court agrees with the Court of Appeal that it is the distressing invasion of privacy which our laws seek to protect, as opposed to the suffering of monetary damage alone.
The full trial of the case should settle this key question and also analyse whether behavioural data collected by cookies is protected personal data. The case will be of interest to data controllers, internet service providers and online advertisers alike. In addition, for so long as the law remains as it now is, employers should be aware of the increased risk of employees seeking to bring DPA distress claims and will be well advised to be even more vigilant than ever with the data within their control.
We will continue to report on developments. In the meantime, the best approach remains that privacy rights and data should be protected to the utmost, and policies and processes should be reviewed and updated regularly to ensure compliance.