Scope for damages for data protection violations in the UK widened by the Court of Appeal
The English Court of Appeal recently gave judgement in a case arising out of the tracking of Internet behaviour via a web browser. In Vidal-Hall v Google1, the Court of Appeal found that:
- The developing English law of “misuse of private information” was properly classified as a tort. This can be an important issue when an English claimant – as here – would like to bring proceedings against a non-English defendant.
- Damages for “distress” could be claimed for breaches of UK data protection law even where there is no monetary loss. In so finding, the Court found a provision of the UK Data Protection Act 1998 (which said otherwise) incompatible with the EU data protection directive (95/46/EC) (the “Directive”) and so declared it “inapplicable”; effectively (in a constitutional rarity) striking it from the statute book.
- It was “clearly arguable” that the “browser generated information” collated by Google was “personal data” within UK (and EU) data protection rules.
At the moment, the case remains at a preliminary stage and further decisions will be awaited with interest.
Three users of the Safari internet browser lodged a claim against Google after discovering that between 2011 and February 2012 Google had circumvented the browser's default security settings and collected private information about their internet usage without their knowledge or consent (by the use of an operation that has become known as the ‘Safari workaround’).
Since the summer of 2011, all versions of Safari have had their default security settings set to block third party cookies. The main reasoning behind this default setting was to prevent advertising-related tracking without the knowledge/consent of the user. The default setting ensures that cookies from third party advertisers are not placed in users’ browsers unless the user actively chooses to change their security settings and enable them.
Following this, Google bypassed the default privacy settings by implementing the Safari workaround. The workaround allowed temporary third party cookies to be installed on users’ systems and for browser-generated information (“BGI”) to be collected from the cookies. The cookies were applied to track users’ online activities and this information was then used to group individual users into categories. The information was used by Google’s ‘doubleclick’ advertising service, which allowed advertisers to target advertisements based on the claimants’ interests. The tracking of the claimants’ BGI was contrary to Google’s publicly stated position that such activity could not be conducted for Safari users unless they had opted to enable cookies.
The Legal Issues
The claimants each brought claims against Google for (i) breach of confidence; (ii) misuse of private information; and (iii) breach of statutory duty under the Data Protection Act 1998 (“DPA”), by the tracking and collating of information relating to the claimants’ online behaviour without their knowledge or consent.
The claimants could not proceed without the High Court’s permission to serve proceedings abroad (since Google Inc is not within the jurisdiction). As a matter of English law process, a claim can only be served outside England if it falls within a limited number of “jurisdictional gateways” (set out in Civil Procedure Rules Practice Direction, paragraph 6B). For present purposes, they had to persuade the court that misuse of personal information should be classified as a tort (fulfilling the gateway requirement of CPR PD 6B, 3.1(9) - which provides for service out of jurisdiction were a claim is made in tort where (i) damage was sustained within the jurisdiction; or (ii) the damage sustained resulted from an act committed in the jurisdiction).
Permission was granted by the High Court since the court agreed with the claimants that:
(i) the claimants had a good arguable case in relation to both misuse of personal data and breach of the DPA;
(ii) there was a serious issue to be tried as the claimants’ rights under Article 8 of the European Convention of Human Rights had been engaged and so they were entitled to an effective remedy; and
(iii) England was clearly the appropriate forum for the trial of the dispute – the claimants were residents in England and bringing proceedings in the US would likely be very burdensome. In addition, the issues of English law that Google raised were complex and in a developing area; it would be better for the issues to be resolved by an English court, with the usual right of appeal, rather than by a US court.
In considering Google’s appeal, the Master of the Rolls and Sharp LJ, giving a joint judgment, made determinations in respect of two key issues of English privacy and data protection law: (i) whether misuse of private information is a tort for the purposes of CPR PD 6B para 3.1(9); and (ii) the meaning of damage in section 13 of the DPA (in particular whether there can be a claim for compensation under the DPA without pecuniary loss). There was also an important discussion on the meaning of “personal data”, a fundamental concept in UK and EU data protection law.
“Misuse of private information” was a tort
The Court of Appeal thought that, with the possible exception of Douglas v Hello! (No 3)2, this was the first case in which the classification of misuse of private information had made a difference. If this were not a tort, then the claimants would not be entitled to bring their claim within the jurisdiction.
The Court of Appeal, dismissing Google’s appeal, found that English law recognises redress for misuse of private information. This was distinguishable from a breach of confidence claim. The new cause of action was a tort whilst breach of confidence – given its history – was not. This was the first time the issue had been specifically addressed. The court emphasised that this reading of the law did not create a new cause of action but simply gave the correct legal label to one that already exists. The judgment traced the history of this recent development.
In 2003, in the case of A v B plc3, the Court of Appeal considered the application of Articles 8 and 10 of the European Convention of Human Rights4 (the “ECHR”, incorporated into English law by the Human Rights Act 1998 (the “HRA”)) alongside the action for breach of confidence. Lord Woolf CJ noted that the ECHR provided new parameters within which the courts would decide actions for breach of confidence by “absorbing the rights which articles 8 and 10 protect into the long-established action for breach of confidence.”
Lord Woolf’s notion in A v B plc of the “absorption” of the rights protected by Articles 8 and 10 into breach of confidence has evolved into a separate area - misuse of private information. In Campbell v MGN5 the defendant newspaper published articles that disclosed the drug addiction of the famous model, Naomi Campbell, and the fact that she was receiving therapy through a named self-help group. The newspaper had also given details of group meetings she had attended and showed photographs of her in the street as she was leaving a group meeting. She sought damages against the newspaper for breach of confidentiality. In his highly influential judgment in Campbell Lord Nicholls’ commented that the use of terminology such as “breach of confidence” was misleading in situations like that under discussion. It was straining language to say that information about an individual’s private life was ‘confidential’. He went on: “The more natural description today is that such information is private. The essence of the tort is better encapsulated now as misuse of private information.”
Lord Nicholls developed misuse of private information further in OBG Limited v Allan6 where he said “as the law has developed, breach of confidence, or misuse of confidential information, now covers two distinct causes of action, protecting two different interests: privacy, and secret (‘confidential’) information. It is important to keep these two distinct. ... Privacy can be invaded by further publication of information or photographs already disclosed to the public."
This distinction was important for present purposes. Breach of confidence was an “equitable wrong” and not a tort. But what was “misuse of private information”? The Court of Appeal stressed that the two wrongs rested on different legal foundations and protected different interests: secret or confidential information on the one hand and privacy on the other and based on this, the focus of the actions is also different. The Master of the Rolls concluded that “against this background, we cannot find any satisfactory or principled answer to the question why misuse of private information should not be categorised as a tort for the purposes of service out of the jurisdiction. Misuse of private information is a civil wrong without any equitable characteristics. … [I]f one puts aside the circumstances of its “birth”, there is nothing in the nature of the claim itself to suggest that the more natural classification of it as a tort is wrong.”
Meaning of “damage” in section 13 DPA
The claimants did not suffer any monetary loss, but alleged that they suffered “distress” which should be compensated.
Article 23 of the Directive required member states to implement an entitlement for individuals “to receive compensation from the controller for the damage suffered" as a result of a breach of data protection rules. This has been implemented into UK law by section 13 of the DPA, subsection (2) of which states: "
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes."
As the “special purposes” were not relevant here, sub-section (2)(a) provides in effect that the claimants could not claim compensation for distress unless they also suffered “damage” (i.e. pecuniary damage). It was accepted that there was no actual monetary loss by the claimants here. The issue therefore was whether the UK had properly implemented Article 23. In turn that meant deciding, first, whether Article 23 included non-pecuniary loss (compensation for distress) within the term “damage” (distress or any equivalent language not being mentioned). Secondly, if the UK had not properly implemented Article 23 the next issue was whether section 13(2) should be disapplied in so far as it is incompatible with the Directive obligation.
Google attempted to rely on comments made in Johnson v MDU7 which would have prevented the claimants here succeeding on the basis of the rules of precedent. There, Buxton LJ had stated that pecuniary damages were a pre-requisite to damage. However, the Court of Appeal in the present case considered such comments to be obiter dicta (a discussion not necessary for a particular decision) and therefore strictly not binding. (As an aside, despite the strictness of this interpretation in Johnson, which had been followed in many first instance cases, the courts had been creative in finding nominal compensation for pecuniary loss (as low as £1) as a gateway for an award of substantial compensation for distress.)
The Court of Appeal therefore approached the issue from the starting point of the Directive. The judges said that “damage” in Article 23 must be given its natural and wide meaning so as to include both material and non-material damage. They reached this conclusion on the basis that what the Directive purports to protect is privacy rather than economic rights and that it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded so as to cause them emotional distress (but not pecuniary damage).
This then led to the issue of whether Section 13(2) of the DPA could be construed consistently with the meaning of Article 23. The Court of Appeal found that this was not possible. The reasoning behind this was that section 13(2) specifically prescribed the circumstances in which an individual who suffers distress by reason of a contravention of the requirements of the DPA by a data controller is entitled to compensation. Parliament had made the decision not to permit compensation for distress in all cases. Instead, it produced a scheme permitting compensation for distress in only certain tightly defined circumstances. Accordingly, the Court of Appeal should not, under the guise of interpretation, subvert Parliament's clear intention to provide section 13 of the DPA with a different meaning to that of Article 23.
It not being possible to reach a consistent construction, the Court of Appeal considered whether section 13(2) should instead be disapplied in so far as it was incompatible with Article 23. The court referred to the recent decision of Benkharbouche and Janah v Embassy of Sudan8 in which the Court of Appeal stated:
“(i) where there is a breach of a right afforded under EU law, article 47 of the EU Charter of Fundamental Rights (the “Charter”) is engaged (the right to an effective remedy and to a fair trial);
(ii) the right to an effective remedy for breach of EU law rights provided for by article 47 embodies a general principle of EU law;
(iii) (subject to exceptions which have no application in the present case) that general principle has horizontal effect;
(iv) in so far as a provision of national law conflicts with the requirement for an effective remedy in article 47, the domestic courts can and must disapply the conflicting provision; and
(v) the only exception to (iv) is that the court may be required to apply a conflicting domestic provision where the court would otherwise have to redesign the fabric of the legislative scheme.”
The Court of Appeal considered the present case to fall within these principles. Article 47 was engaged as a result of the claimant’s claims that their rights under Articles 7 and 8 of the Charter9 had been breached and all that was required in order to make section 13 compatible with EU law was the disapplication of section 13(2). This did not equate to the court having to “redesign the fabric of the legislative scheme” and nor did this approach permit the court to subvert Parliament’s desired interpretation of section 13(2).
The consequence of this is that compensation is recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA.
The application of data protection law depends on the fundamental term
“personal data”: if data is not personal, then that law will not apply. The UK definition of this term is set out in section 1(1) of the Data Protection Act 1998 and reads: ““personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”
The UK Court of Appeal had already dealt with one important aspect of this case, in the well-known, Durant v FSA10 decision of 2003. The issue thrown up by this case was the correct meaning of the concept of “identification”. As can be seen, there are two types of identification envisaged in this language: when data falls within paragraph (a), it is sometimes said, the individual can be “directly” identified; when within (b), they can be “indirectly” identified.
The issue on “direct” identification is in effect the crux of a debate that has raged in privacy circles for some time (particularly in the context of IP addresses): whether or not there is a need for “real” identification; namely, to be able to actually find the individual by name (or otherwise) in the real (physical) world. Or whether, on the other hand, “virtual” identification (the ability to deal with a particular person differently from other persons based on a history of such dealings (having kept track of them by some virtual mean) suffices - even when it is impossible to actually find that person in the real world.
Regulators had long asserted jurisdiction over the accumulation of data by reference to online identifiers; arguing that it was immaterial that such identifiers did not name the user. Citing regulatory guidance on this point, in particular that of the Article 29 Working Party11, the Court found that the possibility that BGI was personal data (direct identification) was clearly arguable.
Indirect identification was possible in this case in two ways.
First, on the basis that Google itself had other data (e.g. Gmail account data) which could be aggregated with the BGI data to identify an individual. Google’s argument that this other data was segregated from BGI data and would not be used in such a manner was held to be irrelevant. The Court of Appeal reiterated that the test in the definition was only concerned with whether data could be used to identify an individual.
Secondly, the Court of Appeal discussed whether there was potential identification of the claimants by third parties viewing the claimants’ screens (and seeing their characteristics displayed as part of the targeted advertisements). Google argued that the knowledge of a third party was not likely to come into the possession of Google and so could not be taken into account in deciding whether Google was processing “personal data”. The Court of Appeal was perhaps less robust on this aspect, but given the earlier conclusions on the other two routes to identification, it simply said that all these issues were not straightforward and it was unnecessary to discuss them further at this stage. The Court was not persuaded that the issue was not arguable.
There had already been litigation concerning the Safari workaround in the USA. In August 2012, Google agreed to pay a civil penalty of US$22.5 million to settle charges, brought by the US Federal Trade Commission that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In addition, in November 2013, Google agreed to pay US$17 million to settle consumer-based actions brought against it by the attorneys general representing 37 US states and the District of Colombia.
In the UK, we are some way from finality on the merits. It remains to be seen whether Google will appeal this judgment to the Supreme Court. If not, the claim will proceed in the normal manner and the subsequent trial will be watched with interest.
Nonetheless, even at this stage, this decision is notable for a number of reasons:
- It confirms that in England there is legal redress for misuse of private information. Although this evolved (as a result of the Human Rights Act) out of the law of breach of confidence, it is separate from it. This will often be applicable in parallel to claims under the UK Data Protection Act.
- Misuse of private information as a legal wrong is a “tort” and so service can be effected against non-UK defendants out of the jurisdiction.
- An individual can, according to the EU data protection directive, claim for damage for distress without proving a pecuniary loss; and the provision of the UK Data Protection Act which stated otherwise has been “disapplied”.
- The Court of Appeal discussed the opinions of the Article 29 Working Party (perhaps the first time any of the higher appellate courts have done so in the UK). The opinions were quoted to show that the position of the claimants on the definition of personal data was “clearly arguable”.
- It was clearly arguable, said the court here, that online behaviour can be used to identify an individual even without the web service provider (here Google) being able to identify the individual by name (in other words, in the real world).
1) Vidal-Hall and others v Google Inc  EWCA Civ 311
2) Douglas v Hello! (No 3)  EWHC 55 (Ch);  EMLR 60
3) A v B plc  EWCA Civ 337;  QB 195.
4) Article 8 ensuring the right to privacy; Article 10 ensuring the right to freedom of expression.
5) Campbell v MGN  2 AC 457.
6) OBG Limited and others v Allan and others; Douglas and another and others v Hello! Limited and others; Mainstream Properties Limited v Young and others and another  1 AC 1.
7) Johnson v MDU  EWCA Civ 262;  EWCA Civ 262
8) Benkharbouche and Janah v Embassy of Sudan and others  EWCA Civ 33
9) Since the Lisbon Treaty entered into force in 2009, the Charter has been of the same legal value as the European Union treaties. Much of the Charter is based on the European Convention on Human Rights (the “Convention”), however it also provides greater rights protection in certain areas. Article 7 of the Charter corresponds with Article 8 of the Convention, and deals with respect for private and family life. Article 8 of the Charter provides for an additional right – to the “protection of personal data”.
10) Durant v Financial Services Agency  EWCA Civ 1746.
11) The Working Party on the Protection of Individuals with regard to the Processing of Personal Data was set up by set up by Article 29 of the Directive in an attempt to ensure a consistent application of the Directive. It is set up with are 28 members of the Article 29 Working Party: the principal data protection regulators in each of the member states. It issues opinions and other papers which although not binding as an interpretation the law, which is a function reserved for the national courts, are nonetheless important.