In Google Inc v Vidal-Hall, the Court of Appeal considered whether a cause of action in “misuse of private information” was a tort, providing the claimants with a necessary gateway to permit service of their claim outside the jurisdiction under CPR PD 6B. The Court also considered the compatibility of the right to damages in the Data Protection Act 1998 (“DPA”) with EU law.
In this case, Apple computer owners brought claims against Google for harvesting their internet browsing data (stored in cookies on their computers) which Google then sold to third party advertisers. Google had publicly stated, erroneously, that it did not collect such data without the user’s consent. The claimants claimed damages for distress (i) for misuse of private information; and (ii) under s. 13 DPA for breach of that Act.
The claimants had successfully obtained permission to serve their claims for misuse of private information and under the DPA outside England pursuant to CPR 3.6 and CPR PD 6B. Google appealed, arguing that: (i) misuse of private information is not a tort for the purposes of CPR PD 6B, para 3.1(9); and (ii) a claim for damages for distress under s. 13 DPA could not be brought in absence of any pecuniary loss.
The Court of Appeal held that:
- Misuse of private information is a tort for the purposes of the jurisdictional gateway in CPR PD 6B. The Court adopted Lord Nicholls’ comments in OBG Ltd v Allan [2008] 1 AC 1 and Campbell v Mirror Group Newspapers Ltd [2004] 2 AC 457, that “breach of confidence” and “misuse of private information” are now recognised as two separate causes of action. This is despite “misuse of private information” having arisen within the scope of “breach of confidence” as a domestic implementation of privacy rights contained in the European Convention on Human Rights. The Court considered that, once “misuse of private information” is viewed as its own cause of action it is clearly “a civil wrong without any equitable characteristics … [and] there is nothing in the nature of the claim itself to suggest that the more natural classification of it as a tort is wrong”. The Court also noted that classifying “misuse of private information” as a tort did not create a new cause of action, but rather gave the correct label to an existing cause of action.
- S. 13 DPA did not, on its face, permit the recovery of damages for distress in absence of any pecuniary loss (the claimants admitted that they had not suffered pecuniary loss). However, Article 23 of EU Directive 95/46/EC on protecting the processing of personal data did permit individuals to obtain compensation for breaches of privacy causing them “non-pecuniary loss”, in light of Leitner v. TUI Deutschland GmbH & Co KG [2002] ECR I-2631. On its literal meaning, s. 13(2) had not effectively transposed Article 23 into English law. The Court therefore had to consider whether it was possible to read s. 13(2) compatibly with Article 23. The Court found that, under the Marleasing principle, it could not, because: (i) s. 13 was a “central feature” of the DPA; (ii) Parliament had clearly intended to enact a narrower right to damages for non-pecuniary loss than Article 23; and (iii) to read s. 13 compatibly with Article 23 would subvert Parliament’s intention.
- S. 13(2) could, however, be disapplied on the grounds that it conflicts with rights guaranteed by the EU Charter of Fundamental Rights to private and family life and protection of personal data. The Court adopted the test in Benkharbouche v Embassy of Sudan [2015] EWCA Civ 33, which requires domestic courts to disapply domestic provisions which conflict with the Article 47 requirement to provide an effective domestic law remedy for breach of EU law rights, unless that would require the court to redesign the fabric of the legislative scheme. In this case, the Court held that it was possible to disapply s. 13(2) without devising a new legislative scheme.
Google Inc. v Vidal-Hall [2015] EWCA Civ 311, 27 March 2015