The Court of Appeal has issued a potentially important ruling in the Vidal Hall v Google internet privacy case that could have significant implications for all organisations that are “data controllers” under the Data Protection Act 1998 (“DPA”). In particular, this case will be of interest to businesses that collect and use data typically collected from internet and App users via cookies, such as information about their browsing habits, sites visited, locations etc. But its implications are much wider than this.
The appeal ruling relates to a preliminary stage of the proceedings (i.e. in this case whether or not the claimants should have permission to serve English proceedings out of the jurisdiction on Google in the US). Accordingly, in relation to some of the issues, the Court has only had to decide whether the claimants’ case is sufficiently “arguable” to be allowed to go to trial. But the case will have immediate implications because the Court has also made definitive rulings on some key points.
Increased risk of civil claims for damages
Significantly, the Court has held that claims for damages under the DPA can be made even if the only type of damage claimed is for purely for “distress”. Previously it was thought that a person could only claim such damages if they had also suffered pecuniary damage as well. (This was due to the wording of s13(2) of the DPA which the Court has now said must be disregarded as being contrary to EU law).
This decision is bound to increase the risk that data controllers will find themselves facing “distress” claims from individuals in the aftermath of a breach of the DPA (e.g. where an organisation suffers a data breach in circumstances where they have been in breach of the DPA provisions on data security).
Definition of “personal data”
The Court has also held that it is at least arguable that “browser generated information” gathered from individuals is personal data in its own right – even if it is “anonymised” and does not name the person concerned. In other words, it may even be sufficient that the data controller assigns a unique code number to a piece of data which corresponds to a particular user’s device rather than by reference to the individual’s name.
Even if that isn’t the case, where a data controller holds other information that, when aggregated, could reveal the identity of the individuals in question, the Court held that this too is arguably personal data – irrespective of whether or not there is any likelihood of the information being so aggregated. In other words, just because personal data is “anonymised” and wouldn’t normally be linked to an individual or their device by a data controller does not invariably mean that it will fall outside the definition of “personal data” provided the data controller has access to that other set of information.
The Court has also held that it is arguable that browser generated information may be personal data if third party advertisers are able to identify individuals by making use of it.
These rulings on personal data are not definitive – but the Court has held them to be arguable propositions.
Misuse of private information is a “tort”
The Court has ruled that unlike a claim for breach of confidence which has previously been held not to be a “tort” under English law, the cause of action for misuse of private information is a tort. This can be significant in the context of an application to serve proceedings out of the jurisdiction because one of the grounds for obtaining permission is that the claim in question is a claim in “tort”.
Next steps for this case
It will be interesting to see whether Google now decide to appeal the decision to the Supreme Court, or whether the case will proceed to trial.
The Court of Appeal has said that although Google long ago ceased the offending activity that led to this case (after being fined by the US authorities), it is a sufficiently important case of principle that the claimants should be able to proceed with their damages claim, even though any damages are likely to be dwarfed by the costs of the whole exercise. (Google have estimated their own costs alone at £1.2m!).