Vidal-Hall v Google Inc (CA)

Reference: [2015] EWCA Civ 311

Court: Court of Appeal

Judge: Lord Dyson MR, McFarlane & Sharp LJJ

Date of judgment: 27 Mar 2015

Summary: Misuse of Private Information – Data Protection Act 1998 – Breach of Confidence – service out of the jurisdiction – EU Charter of Fundamental Rights – distress

Download: Download this judgment

Instructing Solicitors: Bristows LLP for the Appellant; Olswang LLP for the Respondents; The Information Commissioner’s Office as Intervener.

Facts

The claimants, who were respondents to this appeal, are three individuals who used Apple computers between Summer 2011 and 17 February 2012, and used Apple’s “Safari” browser to access the internet during that time. They claim that the defendant (here the appellant) collected their private information (namely their browser-usage) without their knowledge or consent by means of ‘cookies’. They claim the defendant then used this information in offering commercial services to advertisers.

On 12 June 2013, the claimants issued proceedings in England & Wales for misuse of private information, breach of confidence and breaches of the Data Protection Act 1998 (“DPA”), including compensation for distress under s.13 DPA.

The claimants are domiciled in the jurisdiction, but the defendant is domiciled in California, USA. Therefore, the claimants needed the permission of the High Court to ‘serve out’ of the jurisdiction under CPR r6.36. As well as showing a substantial issue, and that England was the appropriate forum for the dispute, the claims also had to come within one of the jurisdictional ‘gateways’ in CPR PD6B.

CPR PD6B at para. 3.1(9) provides that “A claim is made in tort where – (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction…”.

Before Tugendhat J, on the defendant’s application to set-aside the Master’s permission to serve-out, it was accepted that the DPA claims were claims in tort. Tugendhat J held that:

  • He was bound by the Court of Appeal decision in Kitchenology BV v Unicor GmbH Plastmachinen [1995] FSR 765 to hold that breach of confidence was not a tort, and so permission would be set aside in respect of that claim. However, misuse of private information was a tort for the purposes of CPR Part 6.
  • That in respect of the DPA claims, there was a good arguable case that the claimants did not require proof of pecuniary loss in order to recover damages under section 13 DPA, and that the browser-generated information was ‘personal data’ under the DPA.

Issue

1) Is misuse of private information a ‘tort’ for the purposes of CPR PD 6B, para. 3.1(9)?

2) What is the meaning of ‘damage’ in section 13 DPA, and especially can there be compensation without pecuniary loss?

3) Was there a serious issue to be tried that the browser-generated information was ‘personal data’ within the meaning of the DPA?

4) Did the claims in misuse of private information and breach of the DPA amounted to real and substantive causes of action?

Held

Appeal dismissed, and permission to appeal to the UK Supreme Court refused:

1) Misuse of private information was distinct from breach of confidence, and should now be recognised as a tort for the purposes of service out of the jurisdiction. This does not create a new cause of action, but rather gives the correct label to one that already exists. The implications (as to remedies, limitation, vicarious liability) were not in issue and would have to be resolved by the courts as they arose [50]-[51].

2)The DPA was intended to implement Directive 95/46/EC. Article 23 of the Directive allowed for compensation for ‘damage’. Legal terms in EU law have an autonomous meaning, which should be given effect harmoniously across the laws of Member States. Section 13 DPA, which provides for compensation for ‘damage’ suffered by a breach of the DPA only allowed damages for distress if one of the criteria in s.13(2) was met (i.e. extra to pecuniary loss, or that the contravention was related to one of the ‘special purposes’ being literature, journalism and the arts). It was not possible, even relying on the Marleasing principle, to adopt a meaning inconsistent with a fundamental feature of the legislation. Section 13(2) could not be interpreted compatibly with Article 23 of the Directive. The claimants, supported by the Information Commissioner, submitted that s.13(2) should be disapplied because it conflicts with Articles 7 and 8 of the EU Charter of Fundamental Rights (“EUCFR”), and the Court of Appeal agreed. Disapplication was required, and such a decision did not for the court to legislate for its absence (Benkharbouche applied, Chester distinguished): see [94]-[95], [103]-[105]

3) There was a serious issue to be tried as to whether the browser-generated information was personal data, but the Court of Appeal would go no further than that. The judge was not plainly wrong, and the matter would be better resolved at trial.

4) The Court of Appeal considered the claims raised serious issues and that the appellant/defendant did not come close to establishing Jameel The damages may be small, but the issues of principle were large.

Comment

This is a landmark decision, not only for the confirmation that misuse of private information is a tort, but for the disapplication of primary domestic legislation on the basis of incompatibility with an EU Directive and provisions of the Articles 7, 8 and 47 of the EU Charter of Fundamental Rights, applying the recent decision (by a Court of Appeal again including Lord Dyson MR) in Benkharbouche v Embassy of the Republic of Sudan [2015] EWCA Civ 33.

The major effect of this decision is that it appears that it will be possible for claimants who make claims for compensation for breach of the DPA to claim damages for distress even though they have suffered no pecuniary loss, and even though the contravention of the DPA was not related to the purposes of journalism, the arts, or literature.