Archives

Google v. Vidal-Hall – A Landmark Decision

A landmark decision was made on Friday, March 27, when the Court of Appeal confirmed that misuse of private information is a tort, and claimants may recover damages under the Data Protection Act 1998 (DPA) for non-pecuniary losses.

Over the past few years, Google has been involved with high-profile privacy litigation activities, in various issues from removal of offensive video footage to the rollout of its street view service, to the emerging right to be forgotten.

Some background

Just last week, the Court of Appeal made a decision in Google v. Vidal-Hall. The case involved Google’s alleged circumvention of privacy settings in Apple’s Safari browser, allegations that Google settled with the Federal Trade Commission and state attorneys general in the US for over $22 million and $17 million, respectively.

The UK court’s staggering 50-page opinion is one of the most significant judicial decisions in the privacy space since the dawn of the Data Protection Directive 20 years ago. It comes at a time when the directive is on the verge of being replaced by the General Data Protection Regulation.

The claim concerned the collection of private information by Google regarding the claimants’ internet usage. The information consisted of Browser-Generated Information (BGI) taken without the claimants’ knowledge or authorization. The BGI was collected using cookies, which allowed Google to recognize the specific browser creating the BGI.

The claimants alleged that Google offered their BGI to advertisers would could then target each of them specifically based on their browsing history. While the factual background to the appeal is complicated, the claimants sought and obtained permission to see their claim out of the jurisdiction on Google in the US. The tech giant unsuccessfully applied to have that permission set aside before Tugendhat J and so appealed the judge’s decision to the Court of Appeal.

Important issues

The appeal raised four issues:

  1. If misuse of private information is a tort.
  2. The meaning of “damage” under s.13 DPA, and whether there could be a claim for compensation with pecuniary loss.
  3. If there was a serious issue to be tried that the BGI was personal data under the DPA, justifying service out.
  4. If – in relation to the claims for misuse of private information and under the DPA – there was real and substantive cause of action, meaning that the Court should exercise its discretion to permit service out.

Consequences

This is an important decision for those who have been lobbying for an authoritative interpretation of European data protection law. In Europe, data protection enforcement is sporadic, with few cases reaching the courts.

One reason for the sparse data protection docket is the issue addressed by the Vidal-Hall court: the narrow definition of privacy harm. This problem also resonates across the ocean in US jurisprudence. Courts define privacy harms narrowly, excluding equivocal notions of emotional distress and focusing on pecuniary losses. Privacy lawsuits often collapse against a wall of uncertainty, as plaintiffs struggle to demonstrate harm.

Privacy harm must be cognizable, actual, specific, material, fundamental or special, before courts will consider awarding compensation, commented Ryan Calo. What often happens is that people begin to question whether privacy harm is much of a harm at all.

Now, the UK court has drawn a clear distinction by invalidating section 13 of the UK DPA for its inconsistencies with the European Directive and the EU Charter of Fundamental rights. According to the Master of the Rolls and Lady Justice Sharp:

“Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage).”

The Vidal-Hall decision is likely to have significant repercussions with respect to data protection claims in the UK. We will have to wait and see how claimants seek to rely on the precedent, but there can be little doubt that they will do so, and that the recent invigoration of DPA claims and the rise of stand-alone data protection rights is set to continue.

That pecuniary loss is no longer a threshold requirement for a DPA claim clearly broadens the scope for such claims. What will become an interesting topic is how the Court’s use of Article 47 to disapply section 13(2) will be applied in future cases.

Summary

This article discusses the decision made by the UK Court of Appeal that confirmed that misuse of private information is a tort, and that claimants may recover damages under the Data Protection Act 1998.

CIPP Exam Preparation                                      

In preparation for the Certification Information Privacy Professional/Europe (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

  • National data protection laws (I.C.e.)
  • Data protection concepts (II.A.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>