Google and the DPA – RIP section 13(2)

Posted on | by Christopher Knight

Well, isn’t this an exciting week (and I don’t mean Zayn leaving One Direction)? First, Evans and now Vidal-Hall. We only need Dransfield to appear before Easter and there will be a full red bus analogy. Robin opened yesterday’s analysis of Evans by remarking on the sexiness of FOIA. If there is one thing you learn quickly as an information law practitioner, it is not to engage in a sexiness battle with Robin Hopkins. But high-profile though Evans is, the judgment in Vidal-Hall will be of far wider significance to anyone having to actually work in the field, rather than simply tuning every now and then to see the Supreme Court say something constitutional against a FOIA background. Vidal-Hall might not be the immediate head-turner, but it is probably going to be the life-changer for most of us. So, while still in the ‘friend zone’ with the Court of Appeal, before it all gets serious, it is important to explain what Vidal-Hall v Google [2015] EWCA Civ 311 does.

The Context

The claims concern the collection by Google of information about the internet usage of Apple Safari using, by cookies. This is known as “browser generated information” or “BGI”. Not surprisingly, it is used by Google to more effectively target advertising at the user. Anyone who has experienced this sort of thing will know how bizarre it can sometimes get – the sudden appearance of adverts for maternity clothes which would appear on my computer followed eerily quickly from my having to research pregnancy information for a discrimination case I was doing. Apple Safari users had not given their consent to the collection of BGI. The Claimants brought claims for misuse of private information, breach of confidence and breach of the DPA, seeking damages under section 13. There is yet to be full trial; the current proceedings arise because of the need to serve out of the jurisdiction on Google.

The Issues

These were helpfully set out in the joint judgment of Lord Dyson MR and Sharp LJ (with whom Macfarlane LJ agreed) at [13]. (1) whether misuse of private info is a tort, (2) whether damages are recoverable under the DPA for mere distress, (3) whether there was a serious issue to be tried that the browser generated data was personal data and (4) whether permission to serve out should have been refused on Jameel principles (i.e. whether there was a real and substantial cause of action).

Issues (1) and (4) are less important to readers of this blog, and need only mention them briefly (#spoilers!). Following a lengthy recitation of the development of the case law, the Court held that the time had come to talk not of cabbages and kings, but of the tort of misuse of private information, rather than being an equitable action for breach of confidence: at [43], [50]-[51]. This allowed service out under the tort gateway in PD6B. The comment of the Court on issue (4) is worth noting, because it held that although claims for breach of the DPA would involve “relatively modest” sums in damages, that did not mean the claim was not worth the candle. On the contrary, “the damages may be small, but the issues of principle are large”: at [139].

Damages under Section 13 DPA

Issue (2) is the fun stuff for DP lawyers. As we all know, Johnson v MDU [2007] EWCA Civ 262 has long cast a baleful glare over the argument that one can recover section 13 damages for distress alone. The Court of Appeal have held such comments to be obiter and not binding on them: at [68]. The word ‘damage’ in Art 23 of the Directive had to be given an autonomous EU law meaning: at [72]. It also had to be construed widely having regard to the underlying aims of the legislation: the legislation was primarily designed to protect privacy not economic rights and it would be strange if data subjects could not recover compensation for an invasion of their privacy rights merely because they had not suffered pecuniary loss, especially given Article 8 ECHR does not impose such a bar: at [76]-[79]. However, it is not necessary to establish whether there has also been a breach of Article 8; the Directive is not so restricted (although something which does not breach Article 8 is unlikely to be serious enough to have caused distress): at [82].

What then to do about section 13(2) which squarely bars recovery for distress alone and is incompatible with that reading of Article 23? The Court held it could not be ‘read down’ under the Marleasing principle; Parliament had intended section 13(2) to impose this higher test, although there was nothing to suggest why it had done so: at [90]-[93]. The alternative was striking it down on the basis that it conflicted with Articles 7 and 8 of the EU Charter of Fundamental Rights, which the Court of Appeal accepted. In this case, privacy and DP rights were enshrined as fundamental rights in the Charter; breach of DP rights meant that EU law rights were engaged; Article 47 of the Charter requires an effective remedy in respect of the breach; Article 47 itself had horizontal direct effect (as per the court’s conclusion in Benkharbouche v Embassy of Sudan [2015] EWCA Civ 33); the Court was compelled to disapply any domestic provision which offended against the relevant EU law requirement (in this case Article 23); and there could be no objections to any such disapplication in the present case e.g. on the ground that the Court was effectively recalibrating the legislative scheme: at [95]-[98], [105].

And thus, section 13(2) was no more. May it rest in peace. It has run down the curtain and joined the bleedin’ choir invisible.

What this means, of course, is a potential flood of DP litigation. All of a sudden, it will be worth bringing a claim for ‘mere’ distress even without pecuniary loss, and there can be no doubt many will do so. Every breach of the DPA now risks an affected data subject seeking damages. Those sums will invariably be small (no suggestion from the Court of Appeal that Article 23 requires a lot of money), and perhaps not every case will involve distress, but it will invariably be worth a try for the data subject. Legal costs defending such claims will increase. Any data controllers who were waiting for the new Regulation with its mega-fines before putting their house in order had better change their plans…

Was BGI Personal Data

For the DP geeks, much fun was still to be had with Issue (3). Google cannot identify a particular user by name; it only identifies particular browsers. If I search for nasal hair clippers on my Safari browser, Google wouldn’t recognise me walking down the street, no matter how hirsute my proboscis. The Court of Appeal did not need to determine the issue, it held only that there was a serious issue to be tried. Two main arguments were run. First, whether the BGI looked at in isolation was personal data (under section 1(1)(a) DPA); and secondly, whether the BGI was personal data when taken together with gmail account data held by Google (application of limb (b)).

On the first limb, the Court held that it was clearly arguable that the BGI was personal data. This was supported by the terms of the Directive, an Article 29 WP Opinion and the CJEU’s judgment in Lindqvist. The fact that the BGI data does not name the individual is immaterial: it clearly singles them out, individuates them and therefore directly identifies them: at [115] (see more detail at [116]-[121]).

On the second limb, it was also clearly arguable that the BGI was personal data. Google had argued that in practice G had no intention of amalgamating them, therefore there was no prospect of identification. The Court rejected this argument both on linguistic grounds (having regard to the wording of the definition of personal data, which does not require identification to actually occur) and on purposive grounds (having regard to the underlying purpose of the legislation): at [122]-[125].

A third route of identification, by which enable individual users could be identified by third parties who access the user’s device and then learn something about the user by virtue of the targeted advertising, the Court concluded it was a difficult question and the judge was not plainly wrong on the issue, and so it should be left for trial: at [126]-[133].

It will be interesting to see whether the trial happens. If it does, there could be some valuable judicial discussion on the nature of the identification question. For now, much is left as arguable.

Conclusion

The Court of Appeal’s judgment in Vidal-Hall is going to have massive consequences for DP in the UK. The disapplication of section 13(2) is probably the most important practical development since Durant, and arguably more so than that. Google are proposing to seek permission to appeal to the Supreme Court, and given the nature of the issues they may well get it on Issues (1) and (2) at least. In meantime, the Court’s judgment will repay careful reading. And data controllers should start looking very anxiously over their shoulders. The death of their main shield in section 13(2) leaves them vulnerable, exposed and liable to death by a thousand small claims.

Anya Proops and Julian Milford appeared for the ICO, intervening in the Court of Appeal.

Christopher Knight

PS No judicial exclamation marks to be found in Vidal-Hall. Very restrained.