On Friday, 27 March 2015, the Court of Appeal upheld Justice Tugendhat’s landmark judgment in Vidal-Hall et al v Google , which memorably classified the misuse of private information as a tort. The Court has also held that claimants may recover damages under the Data Protection Act 1998 for non-material loss.
This ruling allows the three individual claimants to continue their proceedings against Google regarding the tracking and collation of their browser generated information (“BGI”) via their Apple Safari browser.
“On the face of it, these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused.”
In determining whether BGI is personal data under the Data Protection Act 1998 (“DPA”), the substantive proceedings themselves will cover legal ground that is “not clear-cut”and may open the door for a substantial class action by UK Apple users. In the meantime, the Court of Appeal’s judgment has clarified two other important issues of law that will undoubtedly have a wide-reaching and significant impact:
(1) whether the cause of action for misuse of private information is a tort; and
(2) the meaning of damage in section 13 DPA; in particular, whether there can be a claim for compensation without pecuniary loss.
Misuse of private information
The Court of Appeal agreed with Justice Tugendhat that the misuse of private information constitutes a tort for the purpose for the purposes of the rules providing for service of proceedings out of the jurisdiction. The Court of Appeal was not bound by its decision in Douglas v Hello! (No 3) , as Lord Phillips MR’s comments on this issue were obiter and, in any event, did not provide a satisfactory or principled answer as to why misuse of private information should not be categorised as a tort for these purposes.
Despite asserting that: “this does not create a new cause of action” but rather “gives the correct legal label to one that already exists“, the Court of Appeal acknowledged that the characterisation of the action “cannot be dismissed as a mere loose use of language; [it] connote[s] an acknowledgement, even if only implicitly, of the true nature of the cause of action.”
It is undoubtedly an important label to bestow. The classification of the misuse of private information has been the subject of discussion in previous cases, but this was the first case in which it “made a difference“. Without this classification, the claimants would have been prevented from remedying their civil wrong in the English courts and, in our increasingly digital age, would not have been alone in this regard.
Furthermore, this assessment is likely to have broad and currently undetermined implications, including as to remedies, limitation and vicarious liability. To give one example, classifying the misuse of private information as a tort will permit damages (including exemplary damages) being awarded as of right, rather than remedies being equitable and therefore discretionary.
This is undoubtedly a developing area of the law. Since the coming into force of the Human Rights Act 1998, the courts have had to grapple with how to afford appropriate protection of “privacy rights” in the absence of a common law tort of invasion of privacy. What began as the initial development and adaptation of the law of confidentiality to protect the misuse of private information, has led to the current acceptance that there are two separate and distinct causes of action (breach of confidence and misuse of private information), which protect different interests and rest on different legal foundations.
The meaning of damage in section 13 DPA (“Section 13”)
The DPA was intended to implement Directive (95/46/EC) (the “Directive”), which is a directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data“. The issue of compensation for a contravention by a data controller is dealt with in Article 23 of the Directive (“Article 23”), so the interpretation of Article 23 is central to the interpretation of Section 13.
The Court of Appeal held that Article 23 should be given its natural and wide meaning so as to include both material and non-material damage. The aim of the Directive is to protect privacy, as opposed to economic rights, and to ensure that data-processing systems protect and respect individuals’ fundamental rights and freedoms. One of these notable rights is the right to privacy under Article 8 of the European Convention of Human Rights (the “ECHR”). Given that the invasion of privacy can cause emotional damage (but not pecuniary loss) and the enforcement of privacy rights under Article 8 ECHR has always permitted recovery of non-pecuniary rights, a more restrictive interpretation of the word “damage” would substantially undermine the objective of the Directive.
In reaching this conclusion, the Court of Appeal held that it was not bound by the obiter comments of Lord Justice Buxton that there was “no compelling reason to think that “damage” in the Directive has to go beyond its root meaning of pecuniary loss“. Instead, the Court of Appeal was mindful of the well-established principle that “the terms of a provision of European Union law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union“. The European Court of Justice had previously held that compensation for “damage” confers a right to compensation for non-material damage, in the context of a directive that was designed to offer protection and compensation to consumers for the same.
In view of this conclusion, if interpreted literally, Section 13(2) has not effectively transposed Article 23 into domestic law. Section 13(2) provides that an individual who suffers distress by reason of a contravention by a data controller of any of the requirements of the DPA is entitled to compensation only if: (i) he also suffers pecuniary or material loss by reason of the contravention; or (ii) the contravention relates to the processing of personal data for journalism, artistic or literary purposes.
Consequently, it was necessary to consider whether it was, in any event, possible to interpret Section 13(2) in a way that was compatible with Article 23. As many will recall, the Marleasing  principle states that the courts of Member States should interpret national law enacted for the purpose of transposing an EU directive into its law, so far as possible, in the light of the wording and the purpose of the directive in order to achieve the result sought by the directive. In this case, the Court of Appeal was not able to make this interpretation, as to do so would have altered a fundamental feature of the DPA. Parliament had clearly deliberately chosen to limit the right to compensation in the way it did and the provisions for compensation in the event of any contravention by a data controller are undeniably a central feature of the DPA.
As such, the natural final point for consideration was whether Section 13(2) should be disapplied on the grounds that it conflicts with the rights guaranteed by Articles 7 (right to private and family life) and 8 (right to protection of personal data) of the ECHR. In Benkarbouche , it was established that:
(i) where there is a breach of a right afforded under EU law, article 47 ECHR is engaged;
(ii) the right to an effective remedy for breach of EU law rights provided for by article 47 embodies a general position of EU law;
(iii) that general principle has (in the main) horizontal effect;
(iv) in so far as a provision of national law conflicts with the requirements for an effective remedy in article 47, the domestic courts can and must apply the conflicting provisional; and
(v) the only exception to (iv) above is that the court may be required to apply a conflicting domestic provision where the court would otherwise have to redesign the fabric of the legislation scheme.
The Court of Appeal agreed that the Benkarbouche principle applied in this case and held that Section 13(2) should be disapplied accordingly. This would mean that compensation would be recoverable under the DPA for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA. This did not ultimately require the Court to make any legislative choices.
This judgment provides welcome clarification on two related, but distinct, areas of law. It will be interesting to monitor how it is used in the field of privacy law going forward and whether claimants with a claim that falls under the tort of misuse of private information will also end up bringing it under the DPA, given that the hurdle of pecuniary loss has been lifted.
  EWHC 13 (QB)
  QB 125
 A v B plc  195
 OBG Limited and other v Allan and others; Douglas and another and others v Hello! Limited and other; Mainstream Properties Limited v Young and others and another  1 AC 1
 Johnson v Medical Defence Union  EWCA 262
 Fish Legal v Information Commissioner (Case C-279/12)  QB 521
 Leitner v TUI Deutschland GmbhH & Co KG ECR  ECE 1-1631
 Marleasing SA v La Comercial Internacional de Alimentacion SA  EUECJ C C-106/89
 Benkarbouche and Janah v Embassy of Sudan and others  EWCA Civ 33