On March 27, 2015, a United Kingdom Court Of Appeal addressed two fundamental but long-unsettled issues in UK privacy law, holding that the right to privacy is an independent tort and that the showing of harm necessary to recover damages does not require economic loss.  The decision was based primarily on the UK’s 1998 Data Protection Act and common law, but the Court’s analysis will likely influence privacy law jurisprudence elsewhere in the European Union and beyond.

In Google Inc v. Vidal-Hall & Ors,the plaintiffs alleged that their browser-generated information (“BGI”) was collected via the Safari browser through the use of cookies, without their knowledge or consent, and contrary to a public representation by the collecting entity.  The plaintiffs’ suit included a claim for misuse of private information and asserted damages based on resulting anxiety and distress—without alleging any pecuniary loss.

The Court acknowledged that many prior decisions treated the violation of privacy rights as a derivative of causes of action such as breach of confidence.  But in view of a jurisdictional issue riding on the nature of the asserted claim, the Court departed from precedent to conclude that “misuse of private information should now be recognised as a tort for the purposes of service out [sic] the jurisdiction.”  The Court claimed that it was not “creat[ing] a new cause of action,” but rather “giv[ing] the correct legal label to one that already exists.”

Turning to the requirement of alleged harm, the Court addressed the Data Protection Act’s goal of implementing the EU Data Protection Directive, which “purports to protect [] privacy rather than economic rights.”  The Court’s analysis of the UK and EU statutory language led it to conclude that the legal framework establishing a “fundamental right” of privacy was not contingent on pecuniary loss.

The Court was then left with the question of whether the collected BGI constituted “personal data” subject to privacy protection, but left that issue for the lower court to determine, stating only that BGI would be personal data if it could be used to (i) identify an individual directly or (ii) render an individual identifiable indirectly, through analysis of the “data and other information which is in the possession of, or is likely to come into the possession of the data controller.”

Ultimately, the Court’s analysis of privacy rights may serve more as an influential decision than a precedential one, given that the EU Data Protection Directive is being phased out with the adoption of the EU’s General Data Protection Regulation, expected later this year.