The Court of Appeal has recently decided on two important issues of law arising out of litigation between Google Inc (“Google”) and three private individuals regarding the “Safari Workaround”. The first related to misuse of private information as a tort for the purposes of service of proceedings out of the jurisdiction; the second related to the meaning of “damage” under section 13 of the Data Protection Act 1998 (“DPA”).
In the proceedings, three claimants brought a claim in relation to the “Safari Workaround”, which Google used to bypass the default settings on the Apple iOS browser, Safari, to track the browsing habits of users. Google used cookies to gather browser generated information (“BGI”) about Safari users, without their knowledge or consent and despite their policy stating the contrary; the BGI was then sold to third parties, who used it to target advertisements to the claimants’ based on their previous browsing. The claimants claimed for misuse of private information and/or breach of confidence, as well as breach of the DPA.
The Issues on Appeal
There were, to the Court’s mind, four issues raised in the appeal:
- whether misuse of private information was a tort for the purposes of service outside of the jurisdiction;
- the meaning of damage in section 13 DPA and, in particular, whether there can be a claim for compensation where there had been no pecuniary loss;
- whether there was a serious issue to be tried that the BGI is “personal data” under the DPA; and
- whether there was a real and substantial cause of action in relation to the claims for misuse of private information and under the DPA.
Misuse of Private Information
On the first point, the Court’s starting point was that, if it came to the conclusion that a claim for misuse of information is not a tort, but is instead a claim for breach of confidence, the requirement for a “tort” would not be satisfied and the claimants would not be able to serve their claim on the defendant. However, after careful consideration, the Court held that misuse of private information should now (after previous unclear case law) be recognised as a tort for the purposes of service outside the jurisdiction. The Court was keen to point out that this did “not create a new cause of action”, but “simply gives the correct legal label to one that already exists” .
Section 13 DPA and Damages
The second issue arose because, as part of the proceedings, the claimants had claimed that their “personal dignity, autonomy and integrity” had been damaged, and they claimed damages for “anxiety and distress”. In respect of their claims under the DPA, they claimed compensation under section 13 DPA. However they did not claim any pecuniary loss.
Section 13(1) provides an individual with a right to compensation for damages for breach of the DPA and under section 13(2) a right to compensation for distress where (a) damages are also suffered or (b) where the breach relates to processing of personal information for journalistic, artistic and literary purposes. The key question which arose was whether an individual needs to have also suffered financial loss in order to bring a claim in respect of distress as, in the past, claimants have often struggled to demonstrate financial loss. The Court of Appeal decided that financial loss was not necessary, and section 13(2) would not be compatible with the EU Data Protection Directive. In particular, the Court observed that it would be “strange if the Directive could not compensate those individuals whose data privacy had been invaded… so as to cause them emotional distress (but not pecuniary damage)”. It therefore held that section 13(2) should be disapplied, the effect of which “would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA” .
Is BGI Personal Data?
As regards the third issue, the Court applied the tests for “personal data” as set out in section 1(1) DPA, namely whether the information relates to (a) a living individual who can be identified from the data itself, or (b) an individual who is “identifiable” from those data and other information which is in possession of, or is likely to come into the possession of, the data controller. One line of argument advanced by the defendant was that BGI would not constitute “personal data” because it does not name or identify an individual, whilst the claimants countered this, arguing that identification is about data that "individuates" people and distinguishes them from others. It was the claimants' position that BGI allows companies to single out individual users using their ISP address, the websites they visit and often their geographical location. The claimants went further too, asserting that the use of targeted advertising has the potential to reveal sensitive personal information about users to third-party viewers.
The Court of Appeal held that the issues raised as to whether BGI was personal data were by no means clear-cut or straightforward but were arguable, noting that the detailed arguments they heard reinforced their view that there were serious issues to be tried both on the law and the facts. Interestingly, the Court commented that on a literal interpretation of section 1(1)(b), it was possible for the information in question to be personal data, even if Google never had the intention to use the data in its possession to actually identify the individuals it collected the data from. What matters is whether “the defendant has ‘other information’ actually within its possession which it could use to identify the subject… regardless of whether it does so or not” .
Real and Substantial Cause of Action
Drawing to its conclusion, the Court held that the claimants had an arguable case that their Article 8 rights (to private and family life) under the European Convention on Human Rights were engaged and that although compensatory damages may be modest, the issues of principle concerning damages were large. The issues involved, in the alleged secret and blanket tracking and collation of information, which is often extremely private in nature, were therefore in the Court’s view serious issues which merited a trial. The appeal was therefore dismissed.
This judgment represents a significant development in data protection law as it removes the requirement for individuals to show pecuniary loss and now provides a legal basis for “distress” only claims for breach of the DPA. This could lead to a deluge of compensation claims for breaches of the DPA and could have serious consequences for all data controllers, not just Google and other ISPs. There may also be a wider knock-on effect within the EU if individuals in other Member States use this judgment to pave the way for non-pecuniary "distress" claims in their own jurisdictions.
The outcome of the case following trial could also have significant implications for ISPs and online advertising if BGI is judged to be personal data. As the Court indicated, the intention of data controllers regarding whether they will use the information to identify individuals is irrelevant; what is key is that they have the capability to identify an individual with any other information they possess.
The misuse of private information aspect of the case at trial could also prove to be a key development in the law of privacy, which the Court noted has been evolving in recent years from before and since Douglas v Hello! Ltd.
Whether the case will however proceed to trial still hangs in the balance, as it is understood that Google has now sought permission to appeal the judgment to the Supreme Court. It could therefore be quite some time before the issues concerning BGI and misuse of private information are fully determined.