The Court of Appeal has upheld the judgment of Tugendhat J. in Vidal-Hall v Google Inc, allowing a number of claimants to serve proceedings out of the jurisdiction on Google Inc. for breach of their right to privacy, or alternatively for breach of Google's obligations under the Data Protection Act, 1998 (DPA).
Background
Whether a claimant can obtain leave to serve out of the jurisdiction depends on, among other things, the correct legal classification of the claim and whether the claimant can show a serious issue to be tried. As in this case, this often means the court needs to look at these questions in some detail.
Google operates a service to advertisers called "DoubleClick". A wide range of advertisers use the DoubleClick service and the service generates billions of dollars annually for Google. When a member of the public browses the Google domain, unless the user has blocked third party cookies, the so-called DoubleClick ID Cookie is set in the user's browser. The DoubleClick ID Cookie allows Google to know when the user visits a website displaying an advertisement placed by an advertiser who subscribes to the DoubleClick service.
The claimants allege that Google is able to collate this information and combine it with the information normally sent by a browser to the website it connects to, referred to as 'browser generated information' or BGI. The BGI includes the address of the website the user's browser is displaying and the IP address from which the user's device is connected to the internet. Google can, thereby, deduce a wide variety of information about individual users, information alleged by the claimants to be of a private and/or personal nature. Users are able to opt out of this collation process.
The claimants were Apple computer users during a specified period in 2011 and 2012 and used Apple's Safari web browser. The Safari browser has default privacy settings which block third party cookies, including the DoubleClick ID Cookie. However, it was necessary to build in some exceptions, including the so-called "Form Submission Rule" and the "One In, All In Rule". Because of these default privacy settings, Google did not offer the opt-out option to Safari users.
The Issues
The central allegation made by the claimants is that, during the specified period, Google, without the knowledge or consent of Safari users, operated a scheme to bypass the default privacy settings, a scheme which has been dubbed the "Safari Workaround". The scheme is said to have involved the so-called "Intermediary Cookie", a cookie specifically designed to be set in the Safari browser, using the Form Submission Rule, whenever the user accessed Google's internet services. This was the case, notwithstanding that the Intermediary Cookie was a Third Party Cookie associated with the DoubleClick domain. Once the Intermediary Cookie was set, the DoubleClick ID Cookie could also be set in the user's browser by virtue of the "One In, All In Rule".
The claimants allege that Google, without their knowledge or consent, collected and recorded information about them which was information in which the claimants had a reasonable expectation of privacy. The acts of Google in doing so amounted to (1) an unjustified infringement of the claimants' right to privacy and a misuse of their private information and (2) a breach of Google's obligations under the data protection principles set out in the Data Protection Act, 1998 ("the DPA"). Originally, there was also a claim for breach of confidence, but that was not pursued in the Court of Appeal.
Google is a US-based corporation and the claimants required leave to serve the proceedings out of the jurisdiction. There are a number of requirements the claimant must satisfy to obtain leave to serve out. In these proceedings, two requirements for leave to serve out were particularly in issue. First, was there a serious issue to be tried on the merits? Second, could the claimants bring themselves within the jurisdictional 'gateways' set out in CPR PD 6B, of which the one principally in issue was CPR PD 6B 3.1 (9) which provides:
"(9) A claim is made in tort where - (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction..."
The Master gave the claimants leave and this was upheld by Tugendhat J. The judge held:
- An action for misuse of private information was a tort and that damages, including damages for distress, recoverable for misuse of private information was damage within the meaning of 'damage' in CPR PD 6B 3.1 (9), so that jurisdictional 'gateway' applied.
- The claim under Section 13 of the DPA did not require proof of pecuniary damage and the information collected by Google did qualify as 'personal data' for the purpose of the DPA claim. Again, CPR PD 6B 3.1 (9) applied.
- The claims under both heads involved real and substantial issues to be tried.
- On the basis of Kitechnology BV v Unicor GmbH Plastmachinen [1995] FSR 765, by which he was bound, breach of confidence did not qualify as a tort, a decision from which there was no appeal.
- As Google had ceased the conduct complained of, leave to serve out could not be given on the basis that there was a claim for an injunction, which is a 'gateway' under CPR PD 6B 3.1 (2).
The court's assessment and decision
The Court of Appeal refused Google's appeal. The judgment is that of the Master of the Rolls and Lady Justice Sharp, with whom Lord Justice McFarlane agreed. The decision is in four parts.
1. Is misuse of private information a tort for the purposes of CPR PD 6B 3.1(9)?
The action for misuse of private information is a relatively recent development from actions for breach of confidence. Its existence stems from such decisions as Campbell v MGN Ltd [2004] UKHL 21. One reason for its development was the need to give effect to the UK's obligations under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. However, as the Master of the Rolls put it in the present case: "confidence and privacy are not the same and protect different interests".
The court considered it was bound, as was the judge, by the Court of Appeal decision in Kitechnology BV v Unicor GmbH Plastmachinen [1995] FSR 765, a case relating to a classic allegation of breach of confidence. Again considering questions of leave to serve out, the Court of Appeal held that the action for breach of confidence was not a tort for the purposes of Article 5(3) of the Brussels Convention, which provides for jurisdiction in, among other things, "matters relating to tort".
Google's main argument was that the Court of Appeal had held in Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595, [2006] that the action for misuse of private information fell into the same category. The Master of the Rolls dismissed this argument. He held that the suggestion of the court in Douglas v Hello! No.3 that misuse of private information was not a tort was obiter. After reviewing the authorities he said:
"Misuse of private information is a civil wrong without any equitable characteristics. We do not need to attempt to define a tort here. But if one puts aside the circumstances of its 'birth', there is nothing in the nature of the claim itself to suggest that the more natural classification of it as a tort is wrong."
2. What is the meaning of 'damage' in Section 13 of the DPA? Can there be a claim for compensation without pecuniary loss?
The DPA was intended to give effect to the UK's obligations under Directive 95/46/EC, which, as the court pointed out, is aimed at safeguarding privacy rights in the context of data management. Section 13(1) provides a right to compensation to an individual who "suffers damage" by reason of a contravention of the requirements of the Act. Section 13(2) provides a right to compensation to persons who suffer distress as a result of a contravention, but only if the injured party has also suffered damage (which is the same test as Section 13(1)), or in particular circumstances which did not apply in this case.
Section 13(1) is based on the requirements of Article 23 of the Directive.
The court identified three decisions to be made:
- First, had these claimants, who were not claiming for pecuniary loss, suffered damage as required by Section 13?
- Second, if the normal meaning of Section 13 in domestic law was that non-pecuniary loss was not covered by Section 13(1), does Article 23 include non-pecuniary loss and if so should Section 13 also be construed to cover non-pecuniary loss in accordance with the Marleasing principle?
- Third, should the restricted provisions of Section 13(2) be dis-applied in accordance with the principles laid down in Benkharbouche and Janah v Embassy of Sudan and others [2015] EWCA Civ 33?
In Johnson v Medical Defence Union [2007] 96 BMLR 99, the Court of Appeal stated that, as the claimant had not proved pecuniary loss, he could not claim to have suffered damage within the meaning of Section 13(1). The Master of the Rolls was disinclined to agree with this, so the question was whether the court was bound by the decision in Johnson. The court held that it was not bound, on the ground that in Johnson the court had decided there had been no breach of the data processing principles, so no use of the data in contravention of the provisions of the DPA. This was sufficient to decide the case, so the issue of the classification of damages was obiter.
The court then turned to the question of whether 'damage' in Article 23 of the Directive includes non-pecuniary loss. There does not appear to be any direct authority from the Court of Justice of the European Union (CJEU) on the point. The nearest the defendant got to authority for the proposition that non-pecuniary loss was not included was a decision of the High Court of Ireland in Collins v FBD Insurance Plc [2013] IEHC 137. However, the Master of the Rolls declined to place much weight on it because it lacked the reasoning about the aims of the Directive which he considered to point to a wider meaning of 'damage'.
The court considered the aim of the Directive was to protect privacy rather than economic rights, so it would be strange if it did not protect those who had suffered distress by reason of an invasion of their privacy. The court found support for its view in Leitner v TUI Deutschland GmbhH & Co KG ECR [2002] ECR 1-1631, where the CJEU found that the word 'damage' in Directive 90/314/EEC, which deals with compensation for breach of package travel terms, had a wide meaning including damage for loss of enjoyment of the promised holiday.
However, the court went on to hold that even though the restrictions on claims for damages for non-pecuniary loss contained in Section 13(2) were incompatible with this construction of Article 23, the court was not in a position to interpret Section 13(2) as compatible with Article 23 under the Marleasing principle. The court considered that the limitations contained in Section 13(2) were central to and a fundamental feature of the legislation as passed by Parliament. In these circumstances, the provisions of Section 13(2) could not be interpreted so as to be compatible with the Directive. Absent any other remedy, the claimants would have to sue the state for failure to apply the Directive correctly.
The last issue on this part of the case concerned Article 47 of the EU Charter of Fundamental Rights, which gives to anyone whose rights and freedoms are violated "the right to an effective remedy". In Benkharbouche the Court of Appeal decided that, insofar as a provision of national law conflicts with the requirement for an effective remedy in Article 47, the domestic courts can and must dis-apply the conflicting provision.
There are limits on this doctrine. In R (Chester) v Secretary of State for Justice [2013] UKSC 63, a case relating to prisoner voting, the Supreme Court considered that to give effect to the Charter would require them to strike out the whole of the legislative provision on prisoner voting. This was not possible given that prohibition on voting was perfectly lawful in the case of a significant number of prisoners.
The Master of the Rolls considered this case was on the Benkharbouche side of the divide, not on the Chester side. All that was required to bring the DPA in line with the requirements of the Charter was to dis-apply the limitations in Section 13(2).
3. Was there a serious issue to be tried that the BGI is 'personal data' under the DPA?
Under Section 1 of the DPA, "personal data" means data which relates to a living individual who can be identified-
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
The court was influenced in its decision by the views of a working party set up under the Directive. The working party was of the view that a person can be identified when the data permits them to be singled out, even if that has not already happened and even if they are not identifiable by name. The court rejected the view put forward by the defendants that the working party had in mind only identification by internet access providers.
On this basis the court was clearly of the view that the claimants had reached the threshold of showing there was a serious issue to be tried.
The court rejected the argument that a device may have a number of users who cannot therefore be individually identified. The argument failed to take account of the fact that many devices have only one user, and, in any event, on the claimants' evidence it was possible to pick out individual users even when a device had more than one.
4. Do the claimants have a real and substantial cause of action?
The defendants argued, as a free-standing ground of appeal, that there was no real and substantial cause of action as the claimants did not stand to achieve anything in the proceedings which justified the high costs and use of court resources. They relied on Jameel v Dow Jones and Co [2005] EWCA Civ 75.
The court was of the view that the Jameel jurisdiction was valuable where the claim was obviously pointless or wasteful, but the defendant did not come close to establishing this was the case here. The damages recovered might be quite small, although there was a claim for aggravated damages, but the issues of principle were large.
Conclusion
This case will be extremely interesting to follow. The Court of Appeal's judgment was long and involved precisely because many important issues of law are involved. It is likely to be vigorously defended. Google have already had to pay millions of dollars to settle actions commenced by the United States Federal Trade Commission and has agreed to pay millions more to settle consumer law-based claims by 37 States.