Privacy & Information Security Law Blog

On March 27, 2015, the England and Wales Court of Appeal issued its judgment in Google Inc. v Vidal-Hall and Others. Google Inc. (“Google”) appealed an earlier decision by Tugendhat J. in the High Court in January 2014. The claimants were users of Apple’s Safari browser who argued that during certain months in 2011 and 2012, Google collected information about their browsing habits via cookies placed on their devices without their consent and in breach of Google’s privacy policy.

The Court of Appeal ruled on two important issues. The first issue was whether there is a tort of “misuse of private information” under English law. In order to serve proceedings in an English Court on Google (in California), the claimants’ arguments had to satisfy one of a limited number of “gateways.” The relevant gateway in this case required the claimants to show that their claims relate to an actionable tort. Because there is existing case law holding that there is no general tort of invasion of privacy, the claimants argued that the High Court should explicitly recognize a tort of misuse of private information. The High Court agreed and Google appealed the decision. The Court of Appeal upheld the High Court’s decision, and affirmed that there is a tort of misuse of private information under English law. The Court of Appeal stated that this was not a new cause of action, but that it “simply gives the correct legal label to one that already exists.”

The second issue was whether damages under Section 13(2) of the Data Protection Act 1998 (the “Act”) can be awarded in circumstances in which the claimant has not suffered any financial harm. The claimants argued that they had suffered anxiety and distress, but did not allege that they suffered financial harm. This case was unusual because the UK Information Commissioner’s Office (the “ICO”) made submissions to the Court of Appeal as an intervening party. In those submissions, the ICO argued that its previous guidance on Section 13 (which indicated that damages were not available except in cases of financial harm) was incorrect, and that damages should be available in this case. The Court of Appeal accepted the ICO’s submissions but held that, using a literal interpretation, Section 13(2) does not permit damages in the absence of financial harm. The Court of Appeal also noted, however, that Section 13(2) of the Act did not appear to be compatible with EU Data Protection Directive 95/46/EC, which appears to permit claims for damages without financial harm. Expanding upon the evolution of English case law in this area over the last decade, the Court of Appeal held that the claimants could recover damages from Google without showing financial harm, regardless of the contrary language in Section 13(2). It is not yet clear whether Google will appeal this decision.

The consequences of the case may be significant. For Google, it means that the claimants can bring their claims in English Courts directly. This may result in large numbers of such claims, although the Court of Appeal noted that any damages likely will be “relatively modest.”

In a wider context, where any company fails to fulfil its obligations under the Act (e.g., if it suffers a data breach or fails to comply with its own privacy policy) it may face claims for damages brought by the affected individuals (e.g., its customers or employees) if those individuals can demonstrate that they have suffered material anxiety or distress, even if they have not suffered any financial loss. In addition, in some circumstances, such claims may be brought in English Courts, regardless of whether the company is established outside of the UK.