Data Protection Report - Norton Rose Fulbright

On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.

The Issues

In Vidal-Hall, the claimants alleged that Google obtained private information about internet usage through its use of cookies without individuals’ knowledge or consent. According to the plaintiffs, this information enabled Google to provide information to advertisers to help in targeting or tailored advertisements to internet users. The claimants did not allege any financial loss and brought a claim seeking damages solely for emotional distress. At first instance, the court ruled that the misuse of private information constitutes a tort under English law, thereby allowing the claimants to serve proceedings on Google out of the jurisdiction. Without this distinction, any individuals whose privacy rights had been breached by a company registered outside the UK would have been prevented from remedying their loss in the English courts. The court also held that damages for non-pecuniary loss could be recovered under the Act.

The Court of Appeal, the intermediary appellate court, affirmed the judgment that the misuse of private information is a tort under English law and that damages could be recovered for non-pecuniary loss even where no other type of loss was claimed. In its decision, the Court analysed the meaning of “damage” in section 13(2) of the Act, which is the implementation of the EU Data Protection Directive Article 23. Prior to Vidal-Hall, UK courts had found that “damage” under the Act required some form of pecuniary loss. However, referring to Article 23 of the Directive, the Court acknowledged that data subjects should be entitled to receive compensation from a data controller for unlawful actions and found that there was no distinction between pecuniary and non-pecuniary loss in these circumstances.

The Court recognised that it would be “strange” not to compensate individuals whose personal data had been compromised, particularly given that an invasion of privacy will rarely be accompanied by actual monetary loss. Following this reasoning, the Court of Appeal held section 13(2) of the Act inapplicable on the grounds that it was not compatible with EU privacy law.

In July 2015, Google was granted permission by the Supreme Court to appeal this issue, on the grounds of public interest. However, given that Google has now withdrawn its appeal, the Court of Appeal’s decision will be binding on subsequent cases in the UK. Consequently, claimants are no longer required to prove pecuniary loss as a pre-requisite to recovery in claims under the Act.

Our Take

Although Vidal-Hall has significantly widened the scope for claims of this nature, data controllers may find some comfort in the fact that compensation awards for emotional distress are typically low value and may not provide sufficient incentive to bring such a claim. Further, although the Court of Appeal’s ruling will no longer be challenged, the fact that the Supreme Court allowed an appeal indicates that this interpretation of the law may not be clear cut and leaves the door open for this issue to be tested in subsequent cases.

In the meantime, however, companies may wish to consider the risk of an increase in class action claims where the personal data of a whole class of individuals is alleged to have been breached. In those cases, compensation awards may reach much more significant sums and have an adverse effect on a defendant company. This risk may also impact insurers that provide data breach coverage.