The Court of Appeal has recently given judgment in a case concerning the tracking of Internet behaviour through web browsers. The judgment establishes three important principles:
- misuse of private information should now be recognised as a tort;
- s.13 of the Data Protection Act (“DPA”) should be interpreted in a manner compatible with EU Law so compensation should be recoverable for any damage resulting from a breach of the DPA by a data controller, even non-pecuniary damage; and
- it is "clearly arguable" that Browser-Generated Information (“BGI”) constitutes personal data within the meaning of the DPA.
The claimants were three individuals who accessed the internet using the Safari browser on their Apple computers who subsequently complained that Google collected private information about their internet usage via their Apple Safari browser without their knowledge and consent. This BGI was sold to advertisers who could and did select adverts targeted or tailored to the claimants’ interests as deduced from the collected BGI. These adverts appeared on the screens of the claimants' computers and revealed private information about a wide range of their personal information that could have been seen by third parties.
The claimants brought three claims: misuse of private information, breach of confidence and breach of the DPA. They alleged that their personal dignity, autonomy and integrity were damaged, and claimed damages for anxiety and distress under the first two claims. They claimed compensation for damage and distress pursuant to s.13 DPA under the third claim. They made no claim for pecuniary loss.
Summary of Proceedings
The claims were brought in the High Court and the claimants needed the court’s permission to serve proceedings on Google in California, where it is based. Permission was granted by the High Court, which involved it finding that there was a serious issue to be tried and there was a good arguable case that damage was sustained within the UK or resulted from an act committed in the UK. Google appealed against this decision.
In dismissing Google’s appeal, the Court of Appeal made some important findings on the claims, described below.
Misuse of private information as a tort
The Court distinguished between the two separate torts of breach of confidence and misuse of private information. It ruled that misuse of private information should be recognised as a separate tort, commenting that this does not give rise to a new cause of action, but simply ‘give[s] the correct legal label to one that already exists'.
The court found that the two torts offered different protections resting on different legal foundations. An action for breach of confidence depends on improper use being made of information that had been disclosed by one person to another in confidence. Misuse of private information can be differentiated from this as it exists to protect the privacy of an individual, without the necessity for a confidential disclosure.
This was the first time this distinction had been directly addressed by the court. It noted that in this digital age, problems of misuse of private information obtained as a result of online activity are likely to arise more frequently.
Meaning of damage in s. 13 DPA
It was common ground between the parties that a literal interpretation of section 13 of the DPA would not allow the claimants to recover damages for distress for the alleged breaches of the DPA because they did not suffer any monetary loss. The question before the court was whether in this instance the DPA had properly implemented Article 23 of the European Data Protection Directive.
The Directive aims to protect privacy rather than economic rights and the court interpreted this as including both material and non-material damage. The Court therefore decided to dis-apply the conflicting provision of the DPA. The consequence of this would be that compensation is recoverable under section 13 for any damage suffered as a result of a contravention of the DPA by a data controller.
Is BGI ‘personal data’ under the DPA?
For the DPA to have been breached, BGI had to be personal data within its meaning. On this appeal, the Court did not have to decide this point definitively, but only to decide whether there was a serious issue to be tried, since this was the test of whether the High Court was right to allow the claim to be served on Google out of the UK jurisdiction.
The Court found that third parties are able to use BGI to identify individuals and distinguish them from others. Therefore while the opposing arguments were not clear-cut or straightforward there were serious issues to be tried in relation to the claimants’ case.
The court noted that although any damages that might be awarded in the case may be relatively modest, the issues of principle are large.
In addition, if found liable, the possibility of compensatory damages for this type of claim is not the end of the story. There are other sanctions for breaches of the DPA, such as monetary penalty orders, which are likely to drive changes in behaviour.
In fact in this case, it appeared that behavioural change had already taken place. The Court observed that some of the technical issues within the Safari browser might already have been addressed as a result of US litigation. In August 2012, Google agreed to pay a civil penalty of US$22.5 million to settle charges brought by the United States Federal Trade Commission that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. Google also agreed to pay a further US$17 million to settle consumer based actions on similar principles in November 2013.