The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
The fact that in many potential privacy cases it is difficult to prove a financial loss has often acted as a brake on the development of privacy litigation in the UK. With the Court of Appeal finding that there is a standalone right to bring a claim for privacy and the viability of claims for non-financial loss, privacy claims and litigation in the UK and more broadly in the EU may show significant growth. The Court rejected Google’s argument that the allegations were not serious enough, nor the claimed damages significant enough, to warrant the Court’s intervention. The Court roundly disagreed with this view, holding instead that the alleged tracking and collection of information involved potentially “extremely private” data such as confidential schedules and internet use, and said that “[t]he case relates to the anxiety and distress this intrusion upon autonomy has caused.”
Claims for Breach of Privacy
Previously English courts have been reluctant to acknowledge a standalone right to privacy, instead requiring individuals to bring actions for breach of confidence. This judgment of the Court of Appeal, however, has confirmed that English law recognizes an action for the misuse of private information. The Court opined that this ‘recognition’ does not create a new cause of action but rather gives the correct legal label to one that already exists.
Moreover, by classifying the cause of action as a “tort,” the Court’s decision authorizes service of process outside the jurisdiction, and also provides for the award of mandatory damages rather than the discretionary damages that would have been available under an “equitable” cause of action.
Following this decision, it would appear that the hurdles for privacy litigation have essentially been lowered in the UK as claimants will no longer be required to establish a confidential relationship with the company or individual they are bringing a claim against.
The Meaning of ‘Damage’
For an individual to bring a claim for distress under the UK’s Data Protection Act, the individual must have also suffered financial loss. In the past, this has meant many individuals have struggled to meet this criterion because as noted by the Court of Appeal distress is “often the only real damage that is caused by a contravention.”
In recent cases, the English courts have been loosening this restriction by awarding nominal financial damages so as to allow for an award of distress. However, the Court of Appeal has now taken it one step further and dropped the requirement to have suffered financial loss in addition to distress. The Court of Appeal’s reasoning being that the requirement for an individual to have suffered financial loss contradicted the aims of the corresponding EU Data Protection Directive which are to compensate individuals who have suffered distress as a result of a breach of their privacy rights.
This broad interpretation of the concept of damages should make it easier for individuals to bring claims for breaches of the UK Data Protection Act and is in line with the proposed EU Data Protection Regulation which may be adopted by the end of 2015. Under the proposed Regulation, in addition to potential fines for non-compliance of up to 5 percent of annual worldwide turnover, damages may be awarded for non-financial loss as well as the claims being brought by third parties, such as consumer bodies, on behalf of individuals whose data protection rights have been arguably breached and even without their consent.
Significantly, in the U.S. claims against Google based on this very same conduct were dismissed by a lower U.S. federal court because the plaintiffs could not show enough actual harm to allow them to invoke the jurisdiction of the federal courts. That being said, the FTC and a multi-state group of state attorneys general were separately successful in obtaining multi-million settlements from Google based on this same technology1. (The U.S. federal court decision dismissing the case against Google is currently pending on appeal.)
Broad definition of Personal Data
The Court of Appeal also reinforced the very broad definition of personal data as previously advocated by the Article 29 Working Party (a working group composed of representatives from the EU Member States and the European Commission). Whilst the Court was not required to determine whether or not the browser information collected by Google constituted personal data, it did state that this was arguably the case, asserting that is sufficient information to identify individuals without specifically naming those individuals.
Significantly, the Court found the cookie-tracking information in question could be personal data regardless of whether Google would use the data in its possession to actually identify the relevant individuals. Instead, the Court said that
“the fact that a data controller might not aggregate the relevant information in practice is immaterial. What matters is whether the defendant has ‘other information’ actually within its possession which it could use to identify the subject of the [browser information], regardless of whether it does so or not.”
This not only reasserts the position of the Article 29 Working Party but also highlights the importance for companies when collecting browser information, and other forms of personal data, to obtain the requisite consents and provide adequate data privacy notices to individuals. This is especially important in light of the growth of Big Data as well as the possible new restrictions on profiling under the proposed EU Data Protection Regulation and the Regulation’s significant new enforcement powers.