On March 27, 2015, the Court of Appeal issued its final judgment on ‘Safari workaround’: it dismissed Google’s appeal and gave the leeway for UK data subjects to sue Google in England for cookies violations.
At the beginning of 2013 several claimants alleged that Google used cookies to track their browsing activity “Browser Generated Information” without their consent. After the High Court held that the courts of England were the appropriate jurisdiction for UK citizens to try the claims against Google Inc., the company challenged the decision before the UK Court of Appeal. More information are available here.
The appeal raised several important issues of law, among which the question of whether the cause of action for misuse of private information is a “tort” for the purpose of the rules providing for service of process out of the jurisdiction. The second is the meaning of “damage” in Section 13 of the UK Data Protection Act 1998 (“DPA”); in particular, whether there can be a claim for compensation without pecuniary loss. Finally, the Court had to decide whether there is a serious issue to be tried – ie, that Browser Generated Information is “personal data” under the DPA – as is necessary to justify service outside of the jurisdiction.
As for the first issue, the claimants’ application for permission to serve out of the jurisdiction relied, among other, on the classification of “misuse of private information” and “breach of confidence” as a tort and not an equitable wrong, which gave the gateway to establish local jurisdiction: if a claim for misuse of private information was not a “tort”, then the claimants would not be able to serve their claims on Google in the UK (being Google a Delaware corporation with principal place of business in California)
The Court of Appeal agreed with the High Court and held the claims for misuse of private information did fall within the tort “gateway”. “Misuse of private information is a civil wrong without any equitable characteristics.”
As for the second issue, the claimants sought compensation under section 13 DPA alleging that their personal dignity, autonomy and integrity were damaged, and claimed damages for anxiety and distress. There was no claim for pecuniary loss. Google contended that data subjects cannot claim compensation for non-pecuniary damages unless they can prove a pecuniary loss.
According to the Court, Section 13(1) of the DPA provides that an individual who suffers “damage” by reason of any contravention of the DPA is entitled to compensation for that damage. Section 13(2) provides that an individual who suffers “distress” by reason of any contravention is entitled to compensation for that distress if (a) he also suffers damage, or (b) the contravention relates to the processing of personal data for the special purposes.
The English DPA was intended to implement Directive 95/46/EC on the protection of personal data. The issue of compensation is dealt with in Article 23 of Directive 95/46/EC, so the interpretation of Article 23 is central to the interpretation of Section 13. Article 23 provides that “any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”
The Court of Appeal concluded that Article 23 of the Directive “must be given its natural and wide meaning so as to include both material and non-material damage” (emphasis added). In doing so, it observed: “Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage)”.
As for the third issue, the Court found that it was “clearly arguable” that Browser Generated Information constitutes “personal data” under section 1(1)(a) of the DPA, which defines personal data as those related to a living individual who can be identified from the data itself.
The Court noted that “identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user. The BGI singles them out and therefore directly identifies them for the purposes of section 1(1)(a) of the DPA”.
At the same time, the Court held that it is irrelevant that Google did not aggregate the Browser Generated Information with other information in its possession to identify users. “What matters is whether the defendant has “other information” actually within its possession which it could use to identify the subject of the BGI, regardless of whether it does so or not”
Overall, the Court found that the claims did raise serious issues which merit a trial, as they concern alleged secret and blanket tracking, collation and use for an extended period of confidential information. While the Court acknowledged that any compensatory damages may be small, it found that “the issues of principle are large”.
Court of Appeal decision Vidal-Hall -v- Google, dated March 27, 2015 is available at https://www.judiciary.gov.uk… Open Pdf