Briefing

Information Matters: Data Protection Breaches: update on compensation

Posted by: Henry Sainty and Emily Arnold | Date posted : 09/04/2015

The Court of Appeal has dismissed an appeal by Google to prevent users from pursuing it in the UK Courts and has found that: (i) users can claim compensation for breach of the Data Protection Act 1998 (DPA) for distress where they have not suffered pecuniary damage and (ii) there was a serious issue to be tried that Browser Generated Information is personal data for the purposes of the DPA (Google Inc. v Vidal-Hall (and others) [2015 EWCA Civ 311]).

Background

The claimants in this case - three individuals - claim that Google collected private information about their internet usage between 2011 and 2012 via their Apple Safari browsers  without their knowledge and consent via the use of cookies (Browser Generated Information, or BGI). They alleged that Google aggregated this BGI and offered it to advertisers who used it to target adverts to the claimants. This was contrary to Google's publicly stated position that such activity could only take place where Safari users had expressly given their consent to such use of their BGI.

The claimants began their proceedings in June 2013 and claimed damages from Google on the basis of: (i) misuse of private information; (ii) breach of confidence; and (iii) breach of the DPA. And whilst the full trial is yet to take place, this particular issue arose because the claimants needed to apply to serve proceedings on Google outside of the UK (in California, where Google has its principal place of business).

The Appeal

Four issues were raised in the appeal:

(i)  whether misuse of private information is a tort for the purposes of service outside the jurisdiction;

(ii)  the meaning of "damage" in section 13 of the DPA and whether there can be a claim for compensation where there is no pecuniary (ie, financial) loss;

(iii)  whether there is a serious issue to be tried - ie, that BGI is "personal data" under the DPA -  as is necessary to justify service outside of the jurisdiction; and

(iv)  whether, in relation to the claims for misuse of private information and under the DPA, there is a real and substantial cause of action.

Misuse of private information

Regarding the first question, the Court held that misuse of information is a tort for the purposes of service outside the jurisdiction. This was the case even though it evolved out of the equitable cause of action of breach of confidence.

Compensation without pecuniary loss

In a striking move, the Court found that there could be a claim for compensation under the DPA without it being necessary for the claimants to show they had suffered any pecuniary loss.

It was common ground that, on a literal interpretation of the DPA, the claimants would not be able to claim compensation for distress alone. Although section 13(2) of the DPA provides that an individual who suffers distress by reason of a contravention of the DPA may be entitled to compensation, this will only be the case if: (a) the individual also suffers damage; or (b) the contravention relates to the processing of personal data for one of the "special purposes" defined in the DPA (journalism, artistic or literary purposes). Neither of these applied on these facts.

However, the Court held that section 13(2) should be disapplied as it conflicts with the rights guaranteed by Article 7 ("respect for private and family life, home and communications") and Article 8 ("right to the protection of personal data") of the EU Charter of Fundamental Rights. The Court used Article 47 of the Charter - which provides that "everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy" – to disapply section 13(2) of the DPA. In the words of the Court, what was required to make section 13(2) compatible with EU law was "the disapplication of section 13(2), no more and no less".

Is there a serious issue to be tried – is BGI personal data under the DPA?

The Court found that it was "clearly arguable" that BGI falls within the definition of "personal data" provided at section 1(1)(a) of the DPA ie, data "which relates to a living individual who can be identified from the data itself". The Court noted that it was immaterial that BGI does not in fact name the user as the BGI tells Google a host of other information about the user – including their complete browsing history.

Separately, the Court rejected Google's argument that BGI could not fall within the definition of personal data contained at section 1(1)(b) of the DPA – ie, data which "relates to an individual who is identifiable from those data and other information which is in the possession of (or is likely to come into the possession of) the data controller" if it did not fall within the definition at section 1(1)(a) of the DPA. The Court held that it was irrelevant, for these purposes, that Google was in the practice of segregating the BGI from other data which it has obtained from the claimants (such as information about the claimants' Gmail accounts).

Substantial cause of action

Overall, the Court found that the claims did raise serious issues which merit a trial, as they relate to the secret and blanket tracking, collation and use over an extended period of information which was often extremely private. While the Court acknowledged that any compensatory damages may be small, it found that "the issues of principle are large".

Comment

The judgment is significant as the Court - notwithstanding the previously settled position under section 13(2) of the DPA - seems to have opened up the possibility for claimants to claim compensation for breach of the DPA in cases where they have suffered no pecuniary damage. Of course, it remains to be seen to what extent the courts will follow suit, but it seems possible that this may lead to a wave of claims against Google and perhaps other search engines for breaches of the DPA. The case is a striking reminder to data controllers of the importance of complying with their obligations under the DPA and the need to obtain the consent of website users and other data subjects to any use of their personal data which goes beyond the routine processing of their non-sensitive information.

Click here to read more posts from Information Matters.

If you require further information on anything covered in this briefing please contact Henry Sainty (henry.sainty@farrer.co.uk; 020 3375 7424) or Emily Arnold emily.arnold@farrer.co.uk; 020 3375 7601) or your usual contact at the firm on 020 3375 7000.  Further information can also be found on the Intellectual Property & Technology page on our website.

This publication is a general summary of the law.  It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, April 2015