Significant UK Court Ruling on Data Protection Liability

Three individuals who used the Apple Safari Internet browser brought court claims in the UK in 2013 against Google after discovering that between 2011 and February 2012, Google had circumvented the browser's default security settings. In doing so, Google collected private information about these individuals' Internet usage without their knowledge or consent.

Since the summer of 2011, all versions of Safari have had their default security settings set to block third-party cookies, mainly to prevent advertising-related tracking without the knowledge/consent of the user. The default setting ensures that cookies from third-party advertisers are not placed in users' browsers unless the user actively chooses to change their security settings and enable them.

Google, however, bypassed the default privacy settings by implementing the “Safari workaround,” under which temporary third-party cookies could be installed on users' systems and for browser-generated information (BGI) to be collected from the cookies. The cookies were applied to track users' online activities and this information was then used to group individual users into categories. The information was used by Google's “doubleclick” advertising service, allowing advertisers to target advertisements based on the interests of the three individual claimants. Google's publicly stated position was that BGI tracking could not be conducted for Safari users unless they had opted to enable cookies.

The claimants each brought claims against Google for breach of confidence; misuse of private information; and breach of the DPA 1998, for the tracking and collating of information relating to the claimants' online behavior without their knowledge or consent. In respect to their claims for misuse of private information and/or breach of confidence, the claimants alleged that their personal dignity, autonomy and integrity were damaged, for which they were claiming damages (i.e., financial compensation) for anxiety and distress.'In respect to their claims under the DPA 1998, they were claiming compensation for damage and distress. In neither case was there a claim for so-called pecuniary loss (generally speaking, a pecuniary loss is one that can be measured in money terms).

Legal Hurdles

In bringing these claims, the claimants faced, among others, two main legal hurdles. First, because the entity they needed to sue (Google Inc.) is outside the jurisdiction of the UK, the claimants could only proceed with the UK High Court's permission to serve proceedings abroad. Under UK civil rules of procedure, a claim can only be served outside the jurisdiction if, among other things, it falls within a limited number of so-called “jurisdictional gateways.” Put very simply, in this case the claimants had to persuade the court that misuse of personal information should be classified as a tort (i.e., a civil wrong) in order to get through one of these gateways. Second, because the claimants were claiming for compensation that was not pecuniary loss, there was an issue of interpretation of the term “damage” under the DPA 1998, where the question was whether there can be a claim for compensation under the DPA 1998 without pecuniary loss.

The High Court ruled in favor of the claimants, allowing proceedings to be served abroad. Google then appealed this ruling. Significantly for data protection rights, through a complex and historical analysis, the Court of Appeal held that the misuse of private information is indeed a tort, even though it grew out of the law of the breach of confidence, whereas a claim for breach of confidence is not a tort because of its particular history. The upshot is that in a case such as this one, service can be affected against non-UK defendants out of the jurisdiction.

Damages and Compensation

Concerning the damages and compensation aspect of the case, as explained above, the claimants did not suffer any pecuniary loss. Instead, they alleged that they had (mainly) suffered “distress” due to the tracking and collating of information relating to their online behavior without their knowledge or consent, for which they sought (financial) compensation. The problem for them was how to be able to legally claim this, because the DPA 1998 requires that damage must be suffered in order for compensation to be payable, which in effect limits any right to claim non-pecuniary damages.

Very significantly, and arguably the essential element of the ruling for the purposes of data protection rights, the Court of Appeal held that compensation can be awarded even where there is no pecuniary loss. To arrive at that conclusion, the court legally disapplied the relevant section of the DPA 1998 in order to address what the court saw as a legal incompatibility between UK law and EU data protection rules (EU Directive 95/46) which the DPA 1998 implements into UK law) so as to give full application to EU law.

More specifically, the issue of compensation for a contravention by a 'data controller' (the person who determines the purposes for which and the manner in which any personal data are processed) is dealt with in Article 23 of Directive 95/46 and the Court of Appeal found it was not possible to interpret section 13(2) of the DPA 1998 (the effect of which is that damage has to be suffered as a pre-requisite in order to get compensation) in a way that was compatible with Article 23. It ruled that Section 13(2) of the DPA 1998 should be disapplied on the grounds that it conflicts with the rights guaranteed by Articles 7 (right to private and family life) and 8 (right to protection of personal data) of the EU Charter of Fundamental Rights.

Further, on a separate issue, the Court of Appeal also stated that it is arguable that BGI can be used to identify an individual (i.e., without the ability to identify an individual by name) and therefore constitutes “personal data” under the DPA, thereby in this case also enabling proceedings to be issued against a party outside the jurisdiction of the UK. This interpretation of what constitutes “personal data” could have significant legal ramifications.

What Comes Next?

It was announced in July that the UK's highest court, the Supreme Court, has granted permission in part for Google to appeal the Court of Appeal's ruling.'Google applied for permission to appeal to the Supreme Court on the following grounds: first, whether the Court of Appeal was right to hold the claimants' claims for misuse of private information are claims made in tort for the purpose of service out of the jurisdiction; second, whether the Court of Appeal was right to hold that section 13(2) of the DPA 1998 is incompatible with Article 23 of Directive 95/46; and, third, whether the Court of Appeal was right to disapply section 13(2) of the DPA 1998 on the grounds that it conflicts with the rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights. The Supreme Court has refused permission to appeal the first ground claimed by Google on the basis that it doesn't raise an arguable point of law, but it has allowed Google permission to appeal the other two grounds. No date for the next steps has been announced but it can be expected to be some time before this matter proceeds.

Therefore, for the moment at least, all bets are off as to whether this case will lead to substantial class-action cases against Google and also whether, because of the disappearance of the pecuniary loss requirement, there will be an upturn in litigation in general for infringements of the DPA 1998.'But, as the clich' goes, watch this space!

Andr' Bywater and Gayle McFarlane are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected], respectively.

The UK's Court of Appeal gave a very important judgment earlier this year in the so-called Vidal-Hall case concerning Google's Internet behavior tracking through a browser. The court found that: first, misuse of private information is now classified as a tort, thereby in this case enabling proceedings to be issued against a party outside the jurisdiction of the UK; and, second, financial compensation for distress caused by breaches of the Data Protection Act 1998, 1998 c. 29 (DPA 1998) may now be claimed, despite there being no monetary loss, the UK legal provision that had to date prevented this having now been disapplied by the Court of Appeal.

This case is particularly important because litigation for data protection infringements is rising steadily and following this ruling, the legal footing upon which to obtain compensation in court claims for data protection infringements has, for the moment at least, moved forward significantly and may pave the way in general for class actions. But, permission to appeal the Court of Appeal's ruling to the highest court in the UK, the Supreme Court, has just been allowed by that latter court, and so we will have to wait and see before drawing any final conclusions.

The Case

Three individuals who used the Apple Safari Internet browser brought court claims in the UK in 2013 against Google after discovering that between 2011 and February 2012, Google had circumvented the browser's default security settings. In doing so, Google collected private information about these individuals' Internet usage without their knowledge or consent.

Since the summer of 2011, all versions of Safari have had their default security settings set to block third-party cookies, mainly to prevent advertising-related tracking without the knowledge/consent of the user. The default setting ensures that cookies from third-party advertisers are not placed in users' browsers unless the user actively chooses to change their security settings and enable them.

Google, however, bypassed the default privacy settings by implementing the “Safari workaround,” under which temporary third-party cookies could be installed on users' systems and for browser-generated information (BGI) to be collected from the cookies. The cookies were applied to track users' online activities and this information was then used to group individual users into categories. The information was used by Google's “doubleclick” advertising service, allowing advertisers to target advertisements based on the interests of the three individual claimants. Google's publicly stated position was that BGI tracking could not be conducted for Safari users unless they had opted to enable cookies.

The claimants each brought claims against Google for breach of confidence; misuse of private information; and breach of the DPA 1998, for the tracking and collating of information relating to the claimants' online behavior without their knowledge or consent. In respect to their claims for misuse of private information and/or breach of confidence, the claimants alleged that their personal dignity, autonomy and integrity were damaged, for which they were claiming damages (i.e., financial compensation) for anxiety and distress.'In respect to their claims under the DPA 1998, they were claiming compensation for damage and distress. In neither case was there a claim for so-called pecuniary loss (generally speaking, a pecuniary loss is one that can be measured in money terms).

Legal Hurdles

In bringing these claims, the claimants faced, among others, two main legal hurdles. First, because the entity they needed to sue (Google Inc.) is outside the jurisdiction of the UK, the claimants could only proceed with the UK High Court's permission to serve proceedings abroad. Under UK civil rules of procedure, a claim can only be served outside the jurisdiction if, among other things, it falls within a limited number of so-called “jurisdictional gateways.” Put very simply, in this case the claimants had to persuade the court that misuse of personal information should be classified as a tort (i.e., a civil wrong) in order to get through one of these gateways. Second, because the claimants were claiming for compensation that was not pecuniary loss, there was an issue of interpretation of the term “damage” under the DPA 1998, where the question was whether there can be a claim for compensation under the DPA 1998 without pecuniary loss.

The High Court ruled in favor of the claimants, allowing proceedings to be served abroad. Google then appealed this ruling. Significantly for data protection rights, through a complex and historical analysis, the Court of Appeal held that the misuse of private information is indeed a tort, even though it grew out of the law of the breach of confidence, whereas a claim for breach of confidence is not a tort because of its particular history. The upshot is that in a case such as this one, service can be affected against non-UK defendants out of the jurisdiction.

Damages and Compensation

Concerning the damages and compensation aspect of the case, as explained above, the claimants did not suffer any pecuniary loss. Instead, they alleged that they had (mainly) suffered “distress” due to the tracking and collating of information relating to their online behavior without their knowledge or consent, for which they sought (financial) compensation. The problem for them was how to be able to legally claim this, because the DPA 1998 requires that damage must be suffered in order for compensation to be payable, which in effect limits any right to claim non-pecuniary damages.

Very significantly, and arguably the essential element of the ruling for the purposes of data protection rights, the Court of Appeal held that compensation can be awarded even where there is no pecuniary loss. To arrive at that conclusion, the court legally disapplied the relevant section of the DPA 1998 in order to address what the court saw as a legal incompatibility between UK law and EU data protection rules (EU Directive 95/46) which the DPA 1998 implements into UK law) so as to give full application to EU law.

More specifically, the issue of compensation for a contravention by a 'data controller' (the person who determines the purposes for which and the manner in which any personal data are processed) is dealt with in Article 23 of Directive 95/46 and the Court of Appeal found it was not possible to interpret section 13(2) of the DPA 1998 (the effect of which is that damage has to be suffered as a pre-requisite in order to get compensation) in a way that was compatible with Article 23. It ruled that Section 13(2) of the DPA 1998 should be disapplied on the grounds that it conflicts with the rights guaranteed by Articles 7 (right to private and family life) and 8 (right to protection of personal data) of the EU Charter of Fundamental Rights.

Further, on a separate issue, the Court of Appeal also stated that it is arguable that BGI can be used to identify an individual (i.e., without the ability to identify an individual by name) and therefore constitutes “personal data” under the DPA, thereby in this case also enabling proceedings to be issued against a party outside the jurisdiction of the UK. This interpretation of what constitutes “personal data” could have significant legal ramifications.

What Comes Next?

It was announced in July that the UK's highest court, the Supreme Court, has granted permission in part for Google to appeal the Court of Appeal's ruling.'Google applied for permission to appeal to the Supreme Court on the following grounds: first, whether the Court of Appeal was right to hold the claimants' claims for misuse of private information are claims made in tort for the purpose of service out of the jurisdiction; second, whether the Court of Appeal was right to hold that section 13(2) of the DPA 1998 is incompatible with Article 23 of Directive 95/46; and, third, whether the Court of Appeal was right to disapply section 13(2) of the DPA 1998 on the grounds that it conflicts with the rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights. The Supreme Court has refused permission to appeal the first ground claimed by Google on the basis that it doesn't raise an arguable point of law, but it has allowed Google permission to appeal the other two grounds. No date for the next steps has been announced but it can be expected to be some time before this matter proceeds.

Therefore, for the moment at least, all bets are off as to whether this case will lead to substantial class-action cases against Google and also whether, because of the disappearance of the pecuniary loss requirement, there will be an upturn in litigation in general for infringements of the DPA 1998.'But, as the clich' goes, watch this space!

Andr' Bywater and Gayle McFarlane are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected], respectively.