In an important ruling, the Court of Appeal confirmed that misuse of private information is a tort and rules on the meaning of “damage” under s13 of the Data Protection Act (DPA), allowing claimants to recover compensation for “distress” resulting from a breach of the Act without also having to prove pecuniary losses.
Vidal-Hall and others v Google Inc
The Court of Appeal has handed down a judgment confirming that:
- misuse of private information is a tort
- claimants may recover damages section 13 of under the DPA for non-pecuniary losses
- it is strongly arguable that “browser generated information” collected via cookies may be “personal data” for DPA purposes.
The effect of this case is that individual data subjects may now seek compensation for breaches of the DPA purely by asserting that they have suffered “distress”, despite not suffering financial loss.
We expect that this judgment will result in a significant increase in the volume of civil actions brought by individuals under the DPA, either on an individual basis, or as a group (as in Vidal-Hall). Distress claims also might be added to wider claims such as defamation and employment disputes.
Additional background and detail:
Essentially the claim in Vidal-Hall stems from the revelation that Google used cookies to collect “browser generated information” (BGI) from users of Apple’s Safari web browser. By collecting BGI, Google was able to track Safari users’ internet usage in order to target advertising at those users more effectively. For example, Google might direct adverts for a hotel or airline to a user who had been researching a holiday. Safari users had not consented to Google’s collection of information generated by their browsers. Alongside claims for misuse of private information and breach of confidence, the claimants sought compensation under the DPA, on the basis that Google’s activities had breached the Act. The claimants did not, however, disclose any financial loss.
Article 23 of the current EU Data Protection Directive required member states to implement provisions allowing a person who has “suffered damage” as a result of a data protection offence to obtain compensation from a responsible data controller. The UK implemented this requirement through section 13 of the DPA.
DPA section 13 draws a distinction between damage and distress. An individual suffering “damage” may recover compensation for that damage; by contrast an individual suffering “distress” may generally only recover compensation for where he or she also suffers financial damage. In almost all cases, a claimant must therefore show pecuniary loss to recover compensation under section 13.
In Johnson v MDU the High Court rejected the argument that the term “damage” as used in the Directive was not restricted to pecuniary loss, since it referred to any sort of damage recognised by member states’ domestic laws. It found that there was no compelling reason for the term “damage” to be extended beyond pecuniary loss.
The Vidal-Hall judgment
The present judgment relates to the claimants’ application to serve proceedings on Google outside the jurisdiction. Since the claimants had disclosed no pecuniary loss for Google’s alleged breaches of the DPA, (it is not the final judgment on the issues in question) the Court of Appeal was required to revisit the recoverability of non-pecuniary losses under the DPA to decide whether they had an arguable loss.
The court found for the claimants. Since the primary aim of the European data protection regime was to safeguard privacy, rather than economic rights, it would be odd if a data subject could not recover compensation for an invasion of his or her privacy purely because there was no pecuniary loss. Accordingly the term “damage” as used in the Directive should be construed to include non-pecuniary losses.
The court also ruled that it was clearly arguable that the BGI did constitute personal data on the basis that it “individuates”, or singles out the individual, and distinguish him from others. This was regardless of the fact that: i) the BGI did not name the individual and ii) Google asserted that it had no intention of linking the BGI with other data that Google held and which could lead to the individual being identified. The court did not have to determine the issue finally – only establish that there was a clearly arguable case. If the case does go to a full trial for resolution, then data practitioners can look forward to some valuable guidance on this issue and questions on “identification” more generally.