In a modern day David and Goliath battle, three UK home internet users are challenging the misuse of their private information by the US corporate giant, Google. The individuals decided to bring a claim after they realised that Google had secretly tracked private information about their internet browsing (their Browser-Generated Information (‘BGI’)), without their knowledge or consent. This is despite the Claimants opting to use the ‘do not track’ feature in their Apple Safari internet browsers which Google managed to circumvent through what has been termed the ‘Safari workaround’. Google then sold the users’ personal information to third party advertisers, who used the information to target marketing to the users’ interests. The users argued Google demonstrated an:
“institutionalised disregard for both the privacy of its billions of individual users and for the regulatory regimes of the countries in which it operates.”
In Google Inc v Vidal-Hall and Others, the users claim Google’s actions are in breach of the Data Protection Act 1998 (‘DPA’) and seek damages under Section 13 DPA for distress, as well as aggravated damages for the anxiety caused by personalised advertisements being displayed on their computer screens.
Background in the US
This case is not the first of its kind against Google. In August 2012, Google paid a $22.5m fine imposed by the US Federal Trade Commission, in addition to a further $17m in November 2013, to settle claims brought by 38 US states for misuse of their users’ private information. The company’s net profits in 2014 were $14,444m so the fines are relatively small in comparison, however, the principles at stake here are large and these cases have already caused cracks to form in Google’s image as a trusted company.
In an attempt to ring-fence the damage caused to its reputation to the US, last year when it was ruled by the High Court that the English Courts had jurisdiction to try claims issued here for misuse of users’ private information, Google appealed. The company hoped to stem the tide of potential future litigation against what had been a blanket global practice.
There were two important issues which lay at the heart of Google’s appeal to be decided by the Court:
- Is there a tort in the UK for misuse of private information?
- Should Claimants in the UK be able to claim compensation for distress under the DPA, without suffering any financial loss?
A New Tort of Misuse of Private Information
Since the coming into force in the UK of the Human Rights Act 1998 (‘HRA’), incorporating the European Convention of Human Rights (‘ECHR’), the UK Courts have grappled with how to afford appropriate protection to privacy rights under Article 8 of the Convention. This judgment is important, as it recognises and confirms, with reference to all of the relevant authorities, that the misuse of private information is now recognised as a tort in the UK. The judgment traces the development of this new tort from our old tort of confidentiality, which creaked under the weight of the emerging European Article 8 jurisprudence, through the massive media cases of Douglas v Hello! Limited  QB 967 and Campbell v MGN Ltd  UKHL 22 to present day, where our Article 8 rights finally seem to have found appropriate protection. The judgment states that recognising misuse of private information as a tort “simply gives the correct legal label” to a concept that already exists in UK law. The broader implications of this newly labelled tort with regard to remedies, limitation and vicarious liability are still to be explored by the Courts.
Damages for Distress
This judgment is also important as it indicates that damages for breach of the DPA could be awarded for non-pecuniary loss (i.e. for distress). To date, privacy law in the UK has been limited by the requirement that damage for distress could only be recovered if financial loss, however nominal, had also been suffered, as stated in Section 13(2) DPA. Article 23 of Directive 95/46/EC regarding the protection of personal data however provides for damages to be awarded for both pecuniary loss and non-pecuniary loss (called ‘moral damages’ in the EU). The Court in this appeal controversially held that although Section 13(2) DPA could not be read to be compliant with EU law (using the Marleasing principle), as the issue engaged EU law, Article 47 of the Charter of Fundamental Rights (‘the Charter’) could be read to have direct horizontal effect. Article 47 provides that everyone whose rights are guaranteed under the Charter and whose rights have been violated has the right to an effective remedy. Rights engaged under the Charter include Article 7 (privacy rights) and Article 8 (data protection rights). An effective remedy in relation to those EU rights, the Court of Appeal held, includes damages for distress. Section 13(2) DPA was therefore disapplied by the Court as being incompatible with the Charter. This controversial development strengthens and expands the protection of privacy rights in the UK and makes our law compatible with European privacy law, as we can now recover damages for distress without financial loss.
Google’s appeal was accordingly dismissed by Lady Justice Sharp and Lord Justice McFarlane of the Court of Appeal in March 2015.
As Mr Tomlinson QC, instructed by the Claimants, states of this case “the damages may be small, but the issues of principle are large.” Advances in technology now enable the secret, blanket tracking and collation of private information about individuals. The quantity of data held by the State and powerful companies such as Google is now without parallel. The surveillance of individuals in society by those in control of this data is becoming more and more sophisticated, so it is vitally important that we control and limit the retention of this data through the strengthening of our individual privacy rights. Without such protections there is far too much scope for these powers to be abused, for commercial or more ominous purposes.