Three individuals have won a High Court case (Vidal-Hall & Others v Google Inc  EWHC 13(QB)) allowing them to bring claims in England against US-based Google for misuse of their private information and breach of the Data Protection Act 1998 (DPA).
It is widely-known that Google uses 'cookies' to track users' online behaviour in order to provide targeted advertising to those users. Google uses both first party cookies (planted by a website that an internet user visits) and third party cookies (planted by websites other than those which a user visits).
The Safari internet browser is used on all Apple devices designed to access the internet and is now designed to block third party cookies by default, although there are specific exceptions. The allegation is that Google exploited one of these exceptions to circumvent the privacy settings of users, thereby enabling Google to use third party cookies to collect information about the users and serve targeted advertising based on browser profiles.
The three individuals, who are all resident in England and Wales, have been granted permission to serve a claim on Google for misuse of private information and data protection breaches. Google applied to set aside service of the claim form and the original order on the basis that the English courts had no jurisdiction to hear the claim. However the High Court upheld the original decision and the case will be heard in England unless Google successfully appeals.
Misuse of personal data and breach of the DPA
Although this particular application related to a jurisdictional issue, the judgment handed down by Tugendhat J contains a number of interesting observations that indicate that the courts are increasingly willing to interpret the DPA widely in a way that will assist individuals seeking to bring a compensation claim.
In particular, Tugendhat J hints at a widening of the definition of 'personal data'. This definition is already broad and includes any information from which an individual is identifiable. However, Tugendhat J suggests that behavioural data collected by cookies should be included in the definition of 'personal data', even where it is not linked to information that identifies the individual, and that this should apply even where the behavioural information has been pseudonymised.
Following the 2007 decision of the Court of Appeal in Johnson v MDU, it appeared that damages for distress are only recoverable under the DPA if financial loss has also been suffered. Tugendhat J considered in this case that this interpretation was too narrow and that damages for distress could be recovered without the need to show financial loss. He also distinguished this case from Johnson v MDU as he considered that the claimants at least had a good argument that their Article 8 rights to private life were engaged, which meant that there was a serious issue to be tried.
The full implications of this decision will not be known until the case against Google has run its course. However, what this case does do is represent a potential widening of the situations in which individuals might be able to claim damages for breaches of their rights under data protection law. The wider definition of 'personal data', coupled with the view that non-pecuniary damages should be available for data protection breaches, leaves open the possibility that a significantly wider variety of data protection claims could now succeed where they may before have failed.
The application of the DPA to a further category of personal data also shows how the courts are willing to adapt the law to evolve with technological advances. Organisations processing personal data would be well-advised to keep on top of the rapidly evolving technology sector and consider how data protection obligations might apply to new developments.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2014. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.