The High Court has ruled that three individuals resident in England may bring claims in England against US-based Google Inc for misuse of their private information and breach of the Data Protection Act 1998 arising from Google’s exploitation of Apple’s Safari web browser privacy settings. The case will proceed to trial in England unless Google successfully appeals this decision. The court found that the claimants had a good arguable case, based on misuse of private information and breaches of the Data Protection Act 1998 (DPA), that fell within the ground relied on (damage sustained in or resulting from an act committed in the jurisdiction). It also found that there was a serious issue to be tried in respect of each claim allowed and that England was the appropriate forum.
Some of Tugendhat J’s conclusions are ground-breaking, as they question long-standing beliefs about how the right to privacy and data protection should be viewed by the English courts. He has clearly ruled that misuse of personal information is in fact a tort for the purpose of paragraph 3.1(9) of Practice Direction 6B of the Civil Procedure Rules, despite its origin in the claim for breach of confidence. He also suggested a significantly wider definition of personal data under the DPA than in previous decisions.
Privacy advocates will welcome the notion that behavioural data collected by third party cookies should be considered personal data, even where it is not connected to information directly identifying an individual. Online services and advertising networks will, however, view this case with some trepidation if the need for financial loss to exist before damage for distress can be claimed is dispensed with (a question which the court raised, but left to be settled at trial), as this would open the doors for a much wider variety of claims under the DPA. See Vidal-Hall and others v Google Inc[2014] EWHC 13 (QB), 16 January 2014.
This case is a warning to companies that if they misuse data they may open themselves up to a new and significant vein of damages. If you wish someone to review your data use policies or systems or want more advice on this topic, please contact Christopher Evans of Druces LLP’s Corporate & Commercial team