English Court of Appeal Decision Significantly Expands UK Privacy Law
On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors  EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.
This case was brought against Google Inc. by three users of Apple’s Safari web browser. They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising. This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts. Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general.
The EWCA was asked to determine two fundamental questions of English privacy law, and to then decide whether the merits of the case warranted it being allowed to proceed to full trial. The EWCA found in favour of the claimants on all points before it, and in doing so, appears to have fundamentally modified English privacy law. In short, the EWCA held that:
English law recognises a tort of misuse of private information, to be distinguished from a breach of confidence claim; and
the UK Data Protection Act 1998 (the ‘Data Protection Act’) fails to correctly implement the EU Data Protection Directive (95/46/EC) into UK law. Notably, Section 13 of the Data Protection Act, which hitherto had prevented claims for “moral damages” (i.e. distress) in the absence of pecuniary (financial) damage, must be disregarded.
These findings will have important consequences. The first gives misuse of private information a formidable new dimension, not only creating a basis for litigation against organizations based outside the UK, but also having important consequences regarding vicarious liability, remedies, and limitation. The latter dramatically lowers the bar for litigation based on breaches of the Data Protection Act, potentially opening the floodgates to a deluge of low-value claims for distress.
These findings, arguably two of the most important developments in UK privacy law in almost a decade, warrant deeper examination.
English law should recognise a tort of “misuse of private information”
Ever since the UK’s ratification of the European Convention on Human Rights (ECHR), English courts have struggled to reconcile the right to privacy under Article 8 of the ECHR with the absence of a breach of privacy cause of action in English law. In this week’s ruling, the EWCA noted that the courts instead have had to “shoehorn” it into an existing cause of action, “breach of confidence”. This was stretched to encompass, for instance, the surreptitious taking and commercialization of paparazzi photographs at celebrity weddings (Douglas v. Hello! Ltd (No 3)  EWCA Civ 595,  QB 125).
Courts and jurisprudes noted that this was not a natural or comfortable extension of the breach of confidence cause of action, which traditionally had required an existing relationship of trust between the claimant and defendant (whereas such relationships are not a precondition to intrusions on someone’s privacy); over time, breach of confidence evolved a conjoined “misuse of private information” facet to deal specifically with breaches of privacy.
Historically, because breach of confidence and misuse of private information were recognised as one and the same action, misuse of private information was seen as founded in English law of equity (as was breach of confidence), and not a common law tort. It is a curiosity of (ancient) English law that claims founded in equity have quite different characteristics than claims founded in tort. For instance, English courts are not typically permitted to assert jurisdiction over foreign defendants when the claim is founded in equity. This allowed Google Inc. to argue forcefully in this case that it should not be facing a claim for misuse of private information, since it was not domiciled in the jurisdiction.
Commenting on this state of affairs, the EWCA stated that “[i]t would seem an odd and adventitious result for the defendant, if the historical accident of the division between equity and the common law resulted in the claimants in the present case being unable to serve their claims out of the jurisdiction on the defendant”. Distinguishing precedent case law, and pointing to developments in other Commonwealth countries, the EWCA effectively divorced misuse of private information from breach of confidence, and re-characterized it as a tort.
Should this ruling be upheld, misuse of private information may have just become a distinct and recognized cause of action in English law. It will take time for the impact of this change to be fully felt, although organizations with exposure to the UK (for example, those with UK customers) are likely to start assessing the impact of the changes immediately.
The UK Data Protection Act 1998’s cannot exclude non-pecuniary (distress/moral damage) claims
Article 23 of the EU Data Protection Directive 95/46/EC (the ‘Directive’) provides that “any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” Although the Directive makes no distinction between moral and pecuniary damages, the UK Parliament designed s13 of the Data Protection Act so that unless the distress was caused by journalistic, artistic or literary activities, individuals can only claim compensation for distress if they can also point to some financial harm arising from a breach of the Act. UK courts nevertheless found an inelegant workaround: they would find nominal pecuniary damage – e.g. £1 – as a gateway to much more significant awards for distress.
In the present case, none of the claimants could point to any financial loss, and without the EWCA’s intervention, would not have had a viable claim under the Data Protection Act. They would have been limited to seeking enforcement action through a complaint to the UK Information Commissioner’s Office (ICO), whose own powers to impose fines under s55A of the Act are generally limited to cases of substantial damage or substantial distress (except in spam cases, following amendments to the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 that will take effect on April 6th).
Holding that s13(2) of the Data Protection Act was inconsistent with the Directive and Articles 7, 8 and 47 of the EU Charter of Fundamental Rights (which guarantee rights to privacy, data protection and effective remedies for breach of EU law), the EWCA held that the Act must henceforth be read so that “compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the [Act].” (emphasis added).
This holding could lead to a surge in distress-only claims under the Data Protection Act; whilst the sums in individual cases may be small, the sheer volume of litigation that could follow this ruling could be substantial. Ensuring full compliance with the minutiae of the Act’s requirements is arguably now essential for any UK data controllers (including companies abroad, such as Google Inc.), who will be anxious to avoid getting bogged down in a deluge of low-value claims under the Act (or, indeed, misuse of private information actions).
The case can continue to full trial
Following an interesting but inconclusive discussion over whether device and browser “fingerprint” information constituted “personal data” regulated by the Data Protection Act (holding only that it was arguable that it was), the court went on to hold that the claimants’ case was sufficient to merit allowing the case to proceed to full trial, which – unless it settles out of court – could lead to further important developments in English privacy law, in particular (i) case law on assessment of compensation for “mere distress” Data Protection Act claims, and punitive damages, as well as (ii) the extent to which software identifiers, such as cookies or device fingerprints, constitute personal data.