Misuse of private information is a tort and no pecuniary loss is necessary to attract compensation

cyber data protection

Data protection is back in the news following a recent landmark decision of the UK Court of Appeal in Vidal-Hall v Google Inc [2015] EWCA Civ 311. This case significantly alters the data protection and private information landscape in the UK, with important implications for businesses that deal with private or personal data, including in the course of providing online advertising.

Background

Vidal-Hall arose from the operation of what is known as the ‘Safari workaround’ for the use of third-party cookies during web browsing. A third-party cookie is a cookie that is sent to a browser by a website other than the website the browser is currently viewing, such as via an advertisement that appears on the current website. This cookie may be used to both track and collate a user’s browsing information across all sites in the network over time using that cookie, thus allowing further tailored delivery of web advertisements. The information obtained is known as ‘browser-generated information’ or ‘BGI’.

Safari is the default internet browser for Apple devices such as iPhones, iPads and MacBooks. Unlike some other internet browsers, the default setting for Safari is to block third-party cookies unless specifically enabled by the user, or an exception applies. The three claimants in this case alleged that between mid-2011 and mid-February 2012, Google’s Doubleclick advertising service used a further cookie to essentially ‘workaround’ the default block setting in the Safari browser. As a result, Google was able to track and collate BGI for each of the claimants via the Safari browser, without the claimants’ knowledge or consent. Doubleclick then used this BGI to allow advertisers to deliver tailored advertisements to the claimants’ devices based on their browsing history.

The claimants commenced proceedings against Google, seeking damages for distress arising from (relevantly) misuse of private information, and breach of the UK Data Protection Act 1998 (DPA), on the basis that the tailored advertisements that were displayed as a result of the collected BGI revealed their private information, and that this was or may have been disclosed to third parties. However, the claimants required permission to serve the proceedings on Google in California under CPR 6.36 and Practice Direction 6B. This decision relates to the appeal from the decision of the court below to grant such permission.

The Court of Appeal’s decision

In considering whether the court below had properly granted permission to serve the proceedings, the Court of Appeal was required to consider two significant issues, namely whether:

  1. the misuse of private information is a tort (for the purpose of the Civil Procedure Rules);
  2. there can be a claim for compensation under section 13 of the DPA, without pecuniary loss.

The decision of the Court of Appeal in respect of both of these issues is likely to have significant ramifications for claims relating to private information and data protection in the UK going forward.

Is misuse of private information a tort?

Whether a claim for misuse of private information could be classified as a tort was important in this case because in order to obtain permission to serve the proceedings, the claimants need to establish not only that (among other things) there was a serious question to be tried, but also that their claim fell within one of the ‘jurisdictional gateways’ provided in the CPR. One gateway is that a claim is made in tort, where the act or damage occurred within the UK. This meant that if misuse of private information was a claim for breach of confidence rather than a tort, permission to serve outside the jurisdiction could not be granted.

In Vidal-Hall, the Court of Appeal confirmed that despite its historical beginnings, misuse of private information is now a separate and distinct cause of action from breach of confidence, and is to be classified as a claim in tort for the purposes of the CPR.

The practical implications of this decision are likely to be significant. It is expected that claimants in future cases will seize on the court’s reasoning to argue that the classification of misuse of private information as a tort is not limited to the context of the CPR, but is of general application. If that is the case, then general tortious principles relating to remedies, limitation periods and importantly, vicarious liability, will need to be applied to the misuse of private information.

Compensation under the DPA does not require pecuniary loss

The second significant issue decided by the Court of Appeal in Vidal-Hall was whether it is necessary to suffer pecuniary loss in order to claim compensation for a breach of the DPA. While the claimants had claimed damages for distress suffered as a result of the breach, no claim was made for pecuniary loss. This issue was also relevant to whether the claim fell within one of the jurisdictional gateways referred to above.

The answer to this question turned on the meaning of ‘damage’ in section 13(1) of the DPA, and whether it was limited to pecuniary loss. The parties agreed that on a literal reading of the provision, the claimants were not entitled to damages, as compensation for distress was recoverable only where either of the conditions in section 13(2)(a) or (b) were satisfied. However, the claimants argued that such an interpretation conflicted with Article 23 of Directive 95/46/EC, which the DPA was intended to implement. Article 23 of the Directive relevantly provides:

’Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered’.

The Court of Appeal agreed with the claimants’ submissions, holding that section 13(2) was in conflict with Article 23 of the Directive. In particular, the court held that ‘damage’ in Article 23 of the Directive was to be given ‘its natural and wide meaning so as to include both material and non-material damage’. The court considered that it was not possible to interpret section 13(2) in a way that was compatible with the Directive without altering the fundamental feature of this aspect of the DPA. The court therefore ruled that section 13(2) should be disapplied.

This means that compensation for a breach of the DPA is now recoverable under section 13(1), for any damage that is suffered as a result, including non-pecuniary damage such as distress. This represents a significant change to the law relating to data protection in the UK, particularly for the victims of a data breach. This is because, as the Court of Appeal noted, distress is often ‘the only real damage that is caused’ by a breach of the DPA, and now claimants may be able to obtain compensation for this distress, without the need to also show pecuniary loss.

This has the potential to significantly increase litigation exposure for those businesses that collect personal data, particularly in circumstances where a single data breach may affect a very large number of individuals. However, a defence is available under section 13(3) where businesses can show that they had taken such care as was reasonably required in all the circumstances to comply with the relevant DPA requirement. Businesses that collect information likely to be regarded as ‘personal data’ under the DPA should undertake a review of existing policies and measures to to minimise the risk of a breach occurring in the first place, and also maximise the prospect that the defence in section 13(3) can be relied upon.

What next?

Google has been refused leave to appeal this decision to the Supreme Court. As a result, the decision of the Court of Appeal in relation to the classification of misuse of private information as a tort, and its conclusions regarding the meaning of ‘damage’ in section 13 of the DPA represent the final word on these topics, at least for now.

One important issue that remains to be resolved is whether information such as the BGI can constitute ‘personal data’ under the DPA. The Court of Appeal considered that there was an arguable case that such information was ‘personal data’, but we will need to await a final decision on the merits for a definitive answer. This may not be for some time, given the proceedings are currently at an early stage. Nevertheless, businesses involved in collecting, collating, storing and using such information should tread carefully, and in particular, ensure that proper consent is obtained from a user before such information is collected from them, particularly through the use of cookies.

This case is also an important reminder that data protection breaches seldom affect a single jurisdiction. Google has been involved in litigation in the US involving the same Safari workaround, agreeing to pay a civil penalty of $22.5m (€20m) in relation to proceedings brought by the US Federal Trade Commission and a further $17m to settle US state consumer-based actions.

Anna Vandervliet is a senior associate and Joel Smith is a partner at Herbert Smith Freehills LLP, London