Legal Update: Vidal-Hall and Others v Google Inc
Last month, the Court of Appeal handed down judgment in Vidal-Hall and Others v Google. The appeal was only on preliminary issues and it looks like there will be a subsequent appeal before the substantive matter reaches trial. However, this decision is likely to have a far-reaching impact on UK data protection and privacy law. The decision makes it significantly easier to bring a claim for damages for data protection violations. It also paves the way for a trial that could revolutionise the way online giants generate their income.
In the last few years, targeted advertising has become the focus of digital marketing. Most advertising platforms and social networks now offer targeted advertising services to advertisers.
In the UK 3 individuals launched a test case against Google. Each owned Apple computers and accessed the internet via the Safari browser during the relevant period. The claimants alleged that Google’s workaround revealed private information about them to other users of the computer and to onlookers.
The claimants brought a claim for misuse of private information, and for breach of the Data Protection Act 1998 (the “Act”). They sought damages for anxiety and distress. As Google is not based in the jurisdiction, permission had to be sought and was granted to serve Google in California. Google applied for an order to set aside this permission and sought a declaration that the English court did not have jurisdiction to try the claims. The High Court rejected Google’s application. Google appealed the High Court decision to the Court of Appeal.
The points to be decided on appeal were:
- Whether misuse of private information is a tort for the purposes of serving out of the jurisdiction in other words a purely procedural issue;
- The meaning of “damage” in Section 13 of the Act, in particular, whether there can be a claim for compensation without pecuniary loss;
- Whether there is a serious issue to be tried that the BGI is personal data under the Act; and
- Whether in relation to the claims for misuse of private information and under the Act there is a real and substantial cause of action.
Tort of Misuse of Private Information
In order for the claimants to serve a claim form out of the jurisdiction they had to establish that the misuse of private information was a distinct cause of action – a tort. The Court of Appeal found in favour of the claimant that misuse of private information was a tort for these purposes. The judges emphasized that they were not creating a new cause of action they were just giving an existing one its correct label.
The Meaning of “Damage” Under the Act
Section 13 of the Act:
Compensation for failure to comply with certain requirements
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if–
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
The claimants had to show that if Google is in breach of the Act then they would be entitled to a remedy. Up until now damages have been one of the biggest hurdles in privacy cases. The Act sets out when damages can be obtained for breach of the Act. Section 13(2) of the Act clearly provides that in these circumstances damages for distress cannot be claimed in the absence of material damage. Google argued that this meant the case should be dismissed. However, The Court of Appeal disagreed and ruled that they could not interpret Section 13(2) compatibly with EU law safeguarding privacy rights and therefore the judges disapplied Section 13(2). Although this point may be the subject of an appeal, at present this decision sets a precedent for enforcing privacy rights on the grounds of “moral damage” without also having to demonstrate financial loss.
Whether BGI is Personal Data Under the Act
In order for the claimants to have a cause of action they must demonstrate that BGI constitutes “personal data” as defined in the Act. Until this case the definition in the legislation has been interpreted strictly to mean information which more or less identifies a person by name. The claimants argue that information such as IP addresses and what websites a user has visited are personal as they single out the user and distinguish them from others. Whilst the judges ruled that they did not need to decide the merits of the claim, they did decide that the case for BGI constituting personal data under the Act is clearly arguable and therefore a substantive issue which needed to be considered at full trial.
Real and Substantial Cause of Action
Google argued that the value of the claims involved in the case were insignificant especially when compared with Google’s estimated legal costs of $1.2 million. However, the Judges stated that although claims for breach of the Act would involve “relatively modest” sums in damages in their view the “damages may be small but the issues of principle are large”.
Impact for Google:
The ICO intervened in these proceedings. The ICO have been widely criticised for their treatment of Google complaints. Whilst they have carried out investigations into complaints in relation to privacy violations they have not as yet taken any enforcement action, in contrast to their colleagues in other countries: in the US, as a result of the Safari workaround, Google received a record fine of $22.5 million from the Federal Trade Commission. The French privacy body, the CNIL, also fined Google €150,000 in January 2014 for failing to comply with data protection legislation. It will be interesting to see if this Judgment forces the ICO to reassess its approach.
In 2013 over 90% of Google’s revenue was generated through advertising, amounting to more than US$35 billion. If, in the future, Google is no longer able to offer targeted advertising services in Europe or their services are significantly limited, the entire framework of its business could be compromised. Whilst Google is diversifying and developing new technologies (eg driverless cars!), their current operations undoubtedly provide important capital for these costly ventures. Therefore, the implications of this decision for Google are potentially game changing.
The decision will not just affect Google, Section 13(2) of the Act has provided a bar to claims against data controllers and now this has been disapplied it leaves the sector vulnerable. Any other businesses who have failed to process personal data lawfully under the Act will also now find themselves open to claims.
Another change in the data protection landscape set to change the way in which data controllers operate is the EU’s upcoming Data Protection Regulation (the “Regulation”). At present most web browsers, with the notable exception of Safari, require you to manually opt out of data tracking. Whilst still in draft form, the Regulation intends to make explicit consent to data tracking mandatory. The Court of Appeal’s decision and the new Regulation indicate that the tide is turning for UK privacy and data protection rights.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.