The UK Court of Appeal found that individuals can be awarded compensation for breaches of data protection laws even where no financial damage exists. In a case where Google sought to block claimants from data protection claims, Vidal-Hall et al v Google, the Court of Appeal found the claimants could pursue claims seeking damages relating to Google’s bypassing of security measures on the Apple Safari internet browser.
The claims allege that Google introduced tracking cookies on Apple’s Safari browser in breach of Apple’s policies, which allowed Google to gather data users’ online behavior, including information about their financial status and ethnicity to be used for targeted advertising. The claimants argue the tracking caused them anxiety and distress.
Because Google’s HQ is in the US, the UK claimants first sought and received permission to serve Google outside the jurisdiction. The Court of Appeal then upheld the High Court’s decision permitting claimants to pursue their claim against Google.
Importantly, the Court of Appeal confirmed that misuse of personal data constitutes a tort entitling claimants to damages as of right. The Court also held that compensation could be claimed for both material and non-material damage even if no financial loss existed, meaning that damage awards may be based on an assessment of the distress caused. With Google’s appeal being dismissed, it paves the way for Google to be served with the claim outside of the UK.
Google, as data controller, could be liable for millions of pounds worth of damages as ten million Britons are thought to have used Safari within the relevant period (September 2011 to February 2012) and are invited to join the class action.
As a result of this case every breach of the UK Data Protection Act 1998 could lead to damages for affected data subjects. Google is therefore unlikely to be the only data controller following this case very closely.