Upholding Tugendhat J’s judgment in Vidal-Hall et al -v- Google (2014), the Court of Appeal has  confirmed that (1) misuse of private information is a distinct tort and (2) claimants may recover damages under the Data Protection Act 1998 (DPA) for non-pecuniary loss.

Misuse of private information

This decision is significant as it confirms that breach of confidence and misuse of personal information are distinct causes of action. Claimants will no longer be constricted by the requirement, when making a claim for breach of confidence, to demonstrate that a relationship importing an obligation of confidence with the data controller exists.

‘Damage’ in section 13 DPA

Any claimant bringing a claim in circumstances where their personal data has been compromised would invariably find it difficult to demonstrate that they have suffered a financial loss. The Court of Appeal has, however, held that the term ‘damage’ under the DPA should be interpreted broadly. This confers a right to compensation for non-material damage, thereby removing what has to date been perhaps the most arduous hurdle for any claimant looking to bring a claim for invasion of privacy.


In reaching this decision, the Court of Appeal has essentially brought forward one of the key provisions of the EU’s much vaunted draft ‘General Data Protection Regulation’, which is still at least a year away from being incorporated into national law. Any new tort is big news and, coupled with an expansive interpretation of ‘damage’ under the DPA, suggests that the landscape of privacy liability has entered a new era. Insurers are potentially going to see a rise in the number of claims made under privacy liability insuring clauses and maybe even a marked increase in demand for cyber products.