UK - Google v Vidal-Hall: A green light for compensation claims?

In March, Google experienced yet another setback in European courts. This time the English Court of Appeal found against Google on three key issues arising out of its so-called Safari cookie workaround (see Google v Vidal-Hall [2015] EWCA Civ 311).

The first finding was that the claimants can serve proceedings on Google in the United States for the misuse of their private information and for breach of the Data Protection Act 1998.

The second is that there is an arguable case that browser-generated information (“BGI”), such as cookies, constitutes ‘personal data’. This brings a whole swathe of Google’s online activities into the scope of European data protection laws.

Finally, the Court found that the claimants can claim for distress without having to prove pecuniary loss. This greatly increases the scope for compensation claims in the future given an invasion of privacy will rarely be accompanied by actual monetary loss. 

This article considers the decision in greater detail before considering its wider implications and the barriers that remain for compensations claims for breach of UK data protection law.

Background to the claim against Google

The Wall Street Journal first published allegations that Google was circumventing the Safari browser’s privacy settings in February 2012. Six months later, Google had agreed to pay a record $22.5 million penalty to the US Federal Trade Commission for misrepresenting to its users what it was doing. However, it wasn’t required to make any admission of wrongdoing.

The following year, the three claimants sought to bring a claim against Google for the tort of misuse of their private information and for a breach of its statutory duties as a data controller under the Data Protection Act 1998. The claims arose because Google tracked and collated information relating to their internet usage on the Safari browser between mid-2011 and early 2012. 

As Google is a registered corporation in Delaware with its principal place of business in California, the claimants were required to obtain permission from the Master under the Civil Procedure Rules to serve proceedings abroad, which they were successful in doing. Google appealed that decision to the High Court and then the Court of Appeal. Assuming Google does not make a further appeal to the Supreme Court, the substantive claim can now proceed.

The long arm of UK privacy law

The first point considered by the Court of Appeal was whether the claimants were entitled to serve proceedings on Google in the United States for the misuse of their private information. Under the Civil Procedure Rules, this is only possible if this misuse is characterised as a tort rather than as an equitable remedy.

The Court of Appeal was, unsurprisingly, unwilling to let the historical distinctions between equity and the common law frustrate the claimants action and so confirmed that the misuse of private information is a tort. Google had already conceded that breach of the Data Protection Act 1998 would be a tort for these purposes. As the damage from that tort was sustained in the UK, the claimants were able to serve their claim out of jurisdiction on Google Inc in the US.

Browser-generated information as personal data

The second point arose from Google’s argument that BGI was anonymous information. Accordingly, Google argued there was no serious issue to be tried that BGI is ‘personal data’ within the meaning of the Data Protection Act 1998.

The Court of Appeal had to consider a range of arguments. The first was whether the BGI identified an individual by itself. The Court of Appeal was satisfied it was seriously arguable. In focusing on the Opinion issued by the Working Party 29 on the concept of personal data, and the decision of the European Court of Justice in Lindqvist, it said the correct approach may be to consider whether the data “individuates” the individual, such that the individual is able to be differentiated from others. It is not necessary for the data to reveal information such as the actual name of the individual.

As the BGI told Google such information as the claimants’ unique IP addresses, the websites they were visiting, and even their rough geographic location, Google knew their ‘virtual address’ and when they were at their ‘virtual home’. Therefore, the Court of Appeal stated that it is likely that the individuals were sufficiently individuated and that the BGI on its own constitutes ‘personal data’.

The Court of Appeal also considered two subsidiary points. Google argued that while it might be able to identify the claimants by aggregating their BGI with other information it holds about them, it would not do so in practice and therefore that potential combination should be ignored in determining if the BGI is personal data. The Court suggested Google was wrong on this point though did not make any definitive findings.

Equally, Google argued that BGI could not be deemed personal data because third parties might see targeted adverts on the claimants, computer based on that BGI. The Court of Appeal considered this point was neither clear-cut nor straightforward. Moreover, it was unnecessary for it to make any findings, given its earlier conclusion that there was a serious issue BGI might be personal on the basis set out above.

Claims for distress alone possible

Section 13(2) of the Data Protection Act 1998 states that an individual who suffers distress arising from a breach of the Act is entitled to compensation only if the individual “also suffers damage” (or the processing be for the so-called “special purposes”; journalistic, literary or artistic purposes).

This damage had previously been interpreted as meaning pecuniary loss. The need for claimants to prove pecuniary loss as a prerequisite to claiming for distress has required significant evidential contortions in the past, e.g. such as the Doctor and the second breakfast, see Johnson v MDU [2006] EWHC 321.

The Court of Appeal decided this was incompatible with the right to an effective remedy under Article 47 of the EU Charter of Fundamental Rights. What was needed was “the disapplication of section 13(2), no more and no less.” In reaching its decision, the Court of Appeal held: “[s]ince what the [Data Protection] Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage)”.

Will the floodgates open?

The fact litigants need no longer prove pecuniary loss in order to claim for distress, has to lead some commentators to suggest the opening of the proverbial floodgates to litigation. However, there are a number of factors that suggest this might not come to pass. Claims for breach of the Data Protection Act 1998 are potentially difficult given the complexity of the law in this area.

Moreover, compensation awards are typically small and may not provide sufficient incentive to bring such a claim. While we are still a long way from determining the level of compensation available in Vidal-Hall, it is likely to be dwarfed by the legal fees. Google’s trial costs alone are estimated to be £1.2 million (though the Court did describe this figure as “extremely high”).

This is less of an issue for many individual claims which can be brought though the small claims process and so escape any adverse cost orders. However, it will remain a significant deterrent to larger group actions; as will the “opt-in” nature of group litigation in the UK and the need for damage and distress to be assessed on a case by case basis, rather than by a global award.

By Greg Palmer, London