Court of Appeal greenlights Data Protection Act claims for distress where no other loss

The Court of Appeal has handed down a landmark judgment in Vidal-Hall v Google Inc [2015] EWCA Civ 311 - a decision eagerly awaited by media and Data Protection practitioners.

The Claimants in the action are a group of individuals who use the ‘Safari’ web browser. They claim that between Summer 2011 and February 2012 that the defendant Google Inc, collected their private information (their internet browsing usage) via the use of cookies. They claim that the information was then used by Google’s advertisers to provide targeted advertising. The claimants assert that their private information and personal data was used/processed without their knowledge and consent. Accordingly, the claimants have sued Google for the misuse of private information, breach of confidence and breach of the Data Protection Act 1998.

The damages sought by the claimants are purely for distress and anxiety, principally that third parties viewing or using their computers or devices might see the targeted adverts and thus become privy to the claimants’ private browsing habits.

As Google Inc is based outside of the jurisdiction in California, the Claimants had to obtain permission from a High Court Master to issue the claim. As it tends to do in such cases, Google sought to have the order for permission set aside. In the High Court hearing on 16 January 2014 Mr Justice Tugendhat dismissed Google’s application. Google appealed to the Court of Appeal which heard the appeal in December 2014 and March 2015. The Information Commissioner intervened.

The significant issues before both Tugendhat J and the Court of Appeal were (1) whether a claim for the misuse of personal information was a distinct tort (breach of confidence was not a tort) and (2) whether damages could be recovered for distress under the Data Protection Act 2013 where there was no claim for financial loss. Google also sought to argue (3) that there was no serious issue to be tried and/or (4) that there had been no real and substantial tort within the jurisdiction to render the claim proportionate.

Lord Dyson MR and Lady Justice Sharp confirmed what most media lawyers have understood to be the case for some time, namely that the misuse of private information was a distinct tort:-

“…we have concluded in agreement with the judge that misuse of private information should now be recognised as a tort for the purposes of service out the jurisdiction. This does not create a new cause of action. In our view, it simply gives the correct legal label to one that already exists….”

The position under section 13(2) of the Data Protection Act 1998 was that damages for distress could not be recovered unless there was also a claim for financial loss. Hugh Tomlinson QC for the Claimants (supported by the Information Commissioner as an intervening party) argued that this statutory provision was incompatible with the underlying EU directive it was based on (Directive 95/46/EC): Article 23 of the Directive specifically allowed for compensation for ‘damage’. As in the High Court, the Court of Appeal agreed. The Court of Appeal then took the drastic, but not unprecedented step, of disapplying UK legislation:-

“… What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA. No legislative choices have to be made by the court”

The Court of Appeal went on to reject Google’s argument that there was no serious issue to be tried or that the claim was disproportionate. It noted that damages might be modest, but recognised the significant privacy issue.

Comment

The effect of the decision is likely to be far-reaching. Prospective claimants have undoubtedly held back from issuing claims under the Data Protection Act because of section 13(2) – i.e because there was no pecuniary loss. This decision potentially opens the floodgates for claims where the Data Protection Act has been breached and the only claim is one for distress and anxiety.