Case Law: Vidal-Hall v Google, Distress damages can be awarded under s 13 DPA without pecuniary loss (and misuse of private information is a tort) – Lorna Skinner

In Vidal-Hall v, Google Inc ([2015] EWCA Civ 311) the Court of Appeal dismissed Google’s appeal from the decision of Tugendhat J in which he declined to declare that the English court did not have jurisdiction to hear data protection and misuse of private information claims brought against it.

In doing so, the Court of Appeal held that there can be a claim for compensation without pecuniary under section 13 of the Data Protection Act 1998 (“DPA”) in non-special purposes cases and that misuse of private information is a tort, not an equitable wrong. The judgment also contains important holdings about the meaning of “personal data” within s1(1) of the DPA.

Background

The claimants are three individuals who used Apple computers between the Summer of 2011 and about 17 February 2012. Each of them accessed the internet using their Apple Safari browser. The case concerns the operation of what has become known as the “Safari workaround”. The essence of the complaint is that the defendant collected private information about the claimants’ internet usage via their Apple Safari browser (the Browser Generated Information, or “BGI”) without the claimants’ knowledge or consent, by using a small string of text saved on the user’s device (“cookies”). This allowed the defendant to recognise the browser sending the BGI. The BGI was then aggregated and used by the defendant as part of its commercial offering to advertisers via its “doubleclick” advertising service. This meant advertisers could select advertisements targeted or tailored to the claimants’ interests, as deduced from the collected BGI, which could be and were displayed on the screens of the claimants’ computer devices. This revealed private information about the claimants, which was or might have have been seen by third parties. The tracking and collation of the claimants’ BGI was contrary to the defendant’s publicly stated position that such activity could not be conducted for Safari users unless they had expressly allowed this to happen.

The claimants brought claims against the defendant in misuse of private information, breach of confidence and breach of the DPA. In respect of their claims for misuse of private information and/or breach of confidence, the claimants allege that their personal dignity, autonomy and integrity were damaged, and claim damages for anxiety and distress. In respect of the DPA claims, they claim compensation under section 13 of the DPA for damage and distress. There was no claim for pecuniary loss.

Because the defendant is a corporation registered in Delaware and has it its principal place of business in California the claimants sought and obtained the permission of the Court to serve out pursuant to CPR 6.36 and Practice Direction 6B. In order to obtain permission, the claimants had to establish: (1) that there was a serious issue to be tried on the merits of the claim; (2) that there was a good arguable case that their claims came within one of the jurisdictional “gateways” set out in CPR PD 6B; (3) that in all the circumstances England was clearly or distinctly the most appropriate forum for the dispute; and (4) that in all the circumstances the Court ought to exercise its discretion to permit service out.

Google applied under CPR 11 for an order declaring that the Court did not have jurisdiction to try the claims or alternatively that it should not exercise jurisdiction if it did, and for an order setting aside service of the claim form.

Jurisdiction was challenged on the basis that there was no good arguable case for that the claims came within gateways CPR PD 6B 3.1(2) (need for injunction) and 3.1(9) (claim in tort); further or alternatively that there was no serious issue to be tried and/or that the claimants had not shown England was the more appropriate forum. Google also argued that there was no real and substantial cause of action.

Google’s application succeeded to the extent that Tugendhat J held that the claimants could not bring themselves within the injunction “gateway” under CPR PD 6B 3.1(2) because Google had stopped the conduct by the time the Particulars of Claim were served, and had destroyed the relevant data. He also held, bound by the decision in Kitechnology BV v. Unicor GmbH Plastmachinen [1995] FSR 765, that the claims for breach of confidence were not claims in tort. Accordingly, he declared that the Court had no jurisdiction to try the claims for an injunction or for breach of confidence.

The Judge did however hold the claims for misuse of private information did fall within the tort “gateway” under CPR PD 6B 3.1(9) (as did the DPA claims – there was no appeal against this). In relation to the DPA claims, the Judge also held that there were serious issues to be tried (a) that the claimants’ claims for compensation under section 13 of the DPA did not require proof of pecuniary loss; and (b) that the BGI constituted personal data for the purposes of the DPA claims. He also concluded that there

The four issues on appeal were:

• Whether misuse of private information is a tort for the purposes of CPR PD 6B para 3.1(9);
• The meaning of damage in section 13 of the DPA, in particular, whether there can be a claim for compensation without pecuniary loss;
• Whether there is a serious issue to be tried that BGI is personal data under the DPA; and
• Whether in relation to the claims for misuse of private information and under the DPA there is a real and substantial cause of action.

Judgment

In giving the judgment of the Court of Appeal, the Master of the Rolls and Lady Justice Sharp answered all four questions in the affirmative.

The Court described the first two issues as lying at the heart of the appeal ([14]). It noted that the Judge decided the first issue and determined that there was a serious issue to be tried in relation to the second. Given, however, that both raised questions of law that go to the availability of the jurisdictional “gateway” in question the Court of Appeal determined (at [15]) that it would decide both issues rather than merely decide whether it was arguable.

(1) Whether misuse of private information is a tort

The Court noted that although the issue of classification has been the subject of some discussion in the cases, and amongst academics, this was the first case in which it has made a difference. Put shortly, if a claim for misuse of private information was not a tort for the purpose of service out of the jurisdiction, but is classified as a claim for breach of confidence, then on the authority of Kitechnology, the claimants would not be able to serve their claims on Google ([17]).

After conducting a survey of the classifications used in the authorities including Campbell v MGN [2004] AC 457, Douglas v Hello! (No. 3) [2006] QB 125, OBG Ltd v Allen [2008] 1 AC 1, McKennitt v Ash [2008] QB 73, Imerman v Tchenguiz [2010] EWCA Civ 908; [2011] Fam 116, the Court of Appeal observed that, leaving aside the circumstances of its “birth”, there was nothing in the nature of the claim itself to suggest that the more natural classification of it as a tort is wrong ([43]). Actions for breach of confidence and actions for misuse of private information rest on different legal foundations, and protect different legal interests: secret or confidential information on the one hand and privacy on the other ([25]). Moreover, the Court could not find any satisfactory or principled answer to the question of why misuse of private information should not be categorised as a tort for the purposes of service of the jurisdiction ([43]). The decision in Kitechnology turned on a historical distinction that existed before the Judicature Act 1873 between the courts of common law and the Court of Chancery and “It would seem an odd and adventitious result for the defendant, if the historical accident of the division between equity and the common law resulted in the claimants in the present case being unable to serve their claims out of the jurisdiction on the defendants” ([48]).

The Court of Appeal concluded (at [51]):

Against the background we have described, and in the absence of any sound reasons of policy or principle to suggest otherwise, we have concluded in agreement with the judge that misuse of private information should now be recognised as a tort for the purposes of service out of the jurisdiction. This does not create any new cause of action. In our view, it simply gives the correct legal label to one that already exists. We are conscious of the fact that there may be broader implications from our conclusions, for example as to remedies, limitation and vicarious liability, but these were not the subject of submissions, and such points will need to be considered as and when they arise.

 (2) The meaning of damage in section 13 of the DPA

Section 13(1) of the DPA provides that an individual who suffers “damage” by reason of any contravention of the DPA is entitled to compensation for that damage. Section 13(2) provides that an individual who suffers “distress” by reason of any contravention is entitled to compensation for that distress if (a) he also suffers damage, or (b) the contravention relates to the processing of personal data for the special purposes. (“Special purposes” are defined at section 3 of the DPA to mean the purposes of journalism, literature or art.)

It was common ground that on a literal interpretation of section 13 the claimants claims for compensation did not fall within either section 13(2)(a) or (b). They did not allege that they had suffered any pecuniary loss in addition to their distress, and their claims did not relate to processing for any of the special purposes.

The four principal questions arising were:

•  whether the decision in Johnson v. Medical Defence Union [2007] EWCA Civ 262; [2008] Bus LR 503 is binding authority that the meaning of damage in section 13(1) is “pecuniary loss” save in the circumstances set out in section 13(2);
• whether “damage” in Article 23 of Directive 95/46/EC (which the DPA was intended to implement) includes non-pecuniary loss such as distress;
• if “damage” in Article 23 includes non-pecuniary loss, whether section 13 can and should be interpreted compatibly with Article 23 in accordance with the Marleasing principles: Marleasing SA v. La Comercial Internacional de Alimentacion SA C-106/89 [1990] ECR I-4135 CJEU; and
• whether section 13(2) should be disapplied in so far as it is incompatible with Article 23 in accordance with the principles articulated by the Court of Appeal in Benkharbouche and Janah v. Embassy of Sudan and others [2015] EWCA Civ 33 at [69] to [85].

As to the first question, the Court of Appeal held at [68] that it was not bound by Johnson. This was because Buxton LJ’s rejection (with which the rest of the Court agreed) at [74] of the submission that the reference in Article 23 of the Directive could be read as including “distress”  and statement that there was “no compelling reason to think that ‘damage’ in the Directive has to go beyond its root meaning of pecuniary loss” was obiter. Buxton LJ made it clear at [54] and [71] that this was not necessary for his decision. So far as a statement to the apparently contrary effect in [80] was concerned, “It would seem that Buxton LJ overlooked what he had said earlier in his judgment. This is perhaps unfortunate, but it is no more than that” ([67]).

As to the second question, the Court of Appeal concluded at [75] that Article 23 of the Directive “must be given its natural and wide meaning so as to include both material and non-material damage”. In doing so, it observed (at [77]):

Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage). It is the distressing invasion of privacy which must be taken to be the primary form of damage (commonly referred to in the European context as ‘moral damage’) and the data subject should have an effective remedy in respect of that damage.

In coming to this conclusion, the Court of Appeal went further even than the claimants contended it should, Counsel having advocated that Article 23 does not require compensation for non-pecuniary loss unless a data subject has suffered a violation of his rights under Article 8 of the ECHR (see [80] and [81]).

As to the third question, it was not possible to interpret section 13(2) in accordance with the Marleasing principle in a way which would permit compensation for distress in circumstances not falling within section 13(2)(a) or (b) ([94]). The Marleasing principle is that courts of Member States should interpret national law for the purpose of transposing an EU directive into its law so far as possible ([86]). It was not possible to do so here because it was clear (although the reasoning was not) that Parliament had deliberately chosen to limit the right to compensation in the way it did ([91]) and the limits set by Parliament to the right are a fundamental feature of the DPA ([93]).

As to the fourth question, the Court of Appeal concluded in the affirmative. Section 13(2) should be disapplied in so far as it is incompatible with Article 23 in accordance with the principles articulated by the Court of Appeal in Benkharbouche. The reasoning was as follows ([95] to [105]):

• Article 47 of the EU Charter provides a right to an effective remedy and to a fair trial for everyone whose rights and freedoms guaranteed by the law of the Union are violated;
• Article 7 of the Charter provides that “everyone has a right to respect of his or her private and family life, home and communications”. Article 8(1) provides that “everyone has the right to the protection of personal data concerning him or her”
• “Damage” in Article 23 of the Directive includes non-pecuniary loss;
• Section 13(2) is in breach of Articles 7 and 8(1). Accordingly it denies the claimants an effective remedy for such breaches;
• In Benkharbouche it was held that in so far as a provision of national law conflicts with the requirement for an effective remedy in Article 47, the domestic courts can and must disapply the conflicting provision except where to do so would involve the Court having to redesign the fabric of a legislative scheme;
• In order to make section 13(2) compatible with EU law it was necessary to disapply it. No legislative choices had to be made by the Court in order to do so an accordingly the exception (redesigning the fabric of a legislative scheme) did not apply.

As the Court of Appeal recognised at [105], the consequence of this is that compensation is recoverable under section 13(1) for any damage suffered as a result of contravention by a data controller of any of the requirements of the DPA.

(3) Whether BGI is “personal data” under section 1(1) of the DPA

Section 1(1) of the DPA provides that “personal data” means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

This DPA question raised two principal questions. The first was whether BGI is “personal data” under section 1(1)(a) of the DPA. The second was whether, if it was not “personal data” when looked at in isolation, it amounts to personal data under section 1(1)(b)) ([106]).

In contrast to the position under the first two issues raised on appeal (namely (1) Is misuse of private information a tort? and (2) Are damages for distress only recoverable under section 13) the Court did not have to decide the questions raised under issue 3. All it had to do was decide whether there was a serious issue to be tried that the BGI was personal data ([107]).

The Court decided that it was “clearly arguable” that the BGI constitutes personal data under section 1(1)(a),

“because identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user. The BGI singles them out and therefore directly identifies them for the purposes of section 1(1)(a) of the DPA…” ([115]).

In relation to whether the BGI amounted to personal data under section 1(1)(b), the Court of Appeal was rather less robust. It concluded that the issues are not clear-cut or straightforward. Given its earlier conclusion that there was a serious issued to be tried in relation to section 1(1)(a), the argument was best left to be determined after the facts have been found, and after full argument at trial ([133]).

(4) Whether in relation to the claims for misuse of private information and under the DPA there is a real and substantial cause of action

Google argued, as a freestanding ground of appeal, that the Judge was wrong to permit service out because he should have refused it in the exercise of the abuse of process jurisdiction under Jameel v. Dow Jones and Co [2005] QB 946.

The argument was made on two bases: first that the alleged incursions into the private lives of the claimants did not cross the Article 8 threshold of seriousness, and secondly because the damages recoverable were likely to be so modest relative to the costs of litigation that it would be disproportionate to allow service out ([135]).

The Court of Appeal dismissed these arguments, noting that whilst the Jameel  jurisdiction is valuable where a claim is obviously pointless or wasteful, it did not think that Google came close to establishing that that was the position in this case, or that the Judge went so wrong in his evaluation of the factors relevant to his decision that it should be interfered with ([136]). The cost of litigation (estimated by Google to be £1.2 million) should be capable of appropriate control by the exercise of the court’s case management powers, including costs control orders ([140]). Whilst the damages may be small, the issues of principle are large ([139]).

On the face of it, these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused ([137]).

Comment

This case represents a very significant step forward in DPA litigation. Enacted just over 15 years ago, the DPA has spent many years in the wilderness, gathering dust  on the litigator’s top shelf whilst apparently more sexy and dynamic areas of law such as misuse of private information have been developed. Some of its powers were finally recognised and unleashed in Google Spain, followed domestically by Mosley v. Google ([2015] EWHC 59 (QB) which I commented on here. Historically, the bar on distress-only damages save in ‘media’ cases has been a major factor inhibiting litigation under the DPA. And at the risk of totally overloading the metaphors, this decision is likely to effect a sea-change. From now on, the Courts are likely to see many more cases where the claimants claim is focused upon breaches of the DPA, rather than treating it as an add-on or makeweight to other claims.

Although it may be of academic interest, it seems unlikely that the decision that misuse of private of private information is a tort is going to be nearly as significant. The lines between tort and equitable wrongs have been blurred for some considerable time now without any momentous impact. By way of well-worn example, the situations in which damages may be awarded for breach of confidence have been expanded over time to the extent that they now appear coterminous with those available recoverable in tort.

Lorna Skinner is a barrister at Matrix Chambers specialising in media and information law