Reference: [2015] EWCA Civ 311 Court: Court of Appeal

Date of Judgment: 27 March 2015

"There are a number of common law and statutory remedies of which it may be said that one at least of the underlying values they protect is a right to privacy."

Lord Hoffman in Wainwright v Home Office

One of the remedies to which Lord Hoffman was referring back in 2003 was the relief available under the Data Protection Act 1998 (DPA). Since then, the DPA has found itself increasingly being used to protect the privacy of individuals and to control how their personal information is being used by organisations, businesses or the government. The DPA, which gives effect to Directive 95/46/EC, has often been deployed as a supplement to privacy or defamation claims. However, recent changes in the law have made data protection claims more formidable in their own right. In particular, the decision of the Court of Justice of the European Union in Google Spain SL v Agencia Espanola de Proteccion de Datos has famously opened the floodgates to a multitude of claims from individuals seeking to have information about themselves removed from search engine results.

The DPA has the potential to provide for greater protection than other causes of action as the concepts of data protection laws are very broad. The definition of "personal data" to which the DPA applies is itself very wide and may include data about a person which would not satisfy the first limb of the tort of misuse of private information. "Data processing" too, is a broad concept which extends to most actions that involve any handling of personal data including obtaining, recording or altering it. Publication of personal data is also falls within the scope of data processing for such purposes. Furthermore, a claim under data protection laws need not attain the "certain level of seriousness" Laws LJ pointed out in Wood v Commissioner of Police for the Metropolis [2009] as being necessary to engage Article 8. There are also remedies under the DPA which are not available in misuse of private information claims. A court can order, for example, the data controller to rectify, block, erase or destroy personal data which is found to be inaccurate.

Vidal Hall & Ors v Google Inc

The landmark judgment of the Court of Appeal in Vidal Hall & Ors v Google Inc looks to have significantly changed the law in favour of potential data protection litigants once again.

In this case, Google is alleged to have been collecting private information about the claimants' internet usage via the Apple Safari browser. This Browser-Generated Information (BGI) was collected without the claimants' knowledge or consent and then aggregated and used by Google as part of its commercial offerings to advertisers. This enabled advertisers to target or tailor ads to the particular user's interests. This tracking of the claimants' BGI was contrary to the defendant's stated position that such activity could and would not be conducted for Safari users without express consent.

This ruling by the Court of Appeal related to whether the claimants would be permitted to serve their claim on Google which is based in California and therefore outside of the jurisdiction. Permission was granted by the court allowing the three individual claimants to continue proceedings. In making this decision, the Court of Appeal made a key ruling which will be of significant importance to future data protection claims by holding that there is now no need to establish pecuniary damage to bring a claim under the DPA and that distress alone is sufficient.

Pecuniary Damage in Data Protection Claims

Prior to Vidal Hall, the law in England was quite clear on this point: in order to bring a successful civil claim under the DPA, the claimant had to be able to show that it had suffered at least some form of pecuniary damage (unless the processing related to one of the special purposes: journalism, art or literature). This pecuniary damage then acted as a 'gateway' which, if opened, permitted further recovery for emotional distress. This requirement is set out at section 13(2) of the DPA and it was common ground between the parties that under a literal interpretation, the claimants were indeed not entitled to recover damages for distress as they had not incurred the necessary pecuniary loss. [59]

The courts have previously worked around section 13(2) by awarding nominal damages under this section to then enable them to provide compensation for distress. In 2013, the Court of Appeal in Halliday v Creation Consumer Finance Ltd awarded damages of £1 and compensation for distress of £750. Then, in AB v Ministry of Justice in 2014, the Court of Appeal once again made a nominal damages award opening the door for them to provide for a sum of £2,250 by way of compensation for distress.

However, the Court of Appeal noted that the DPA was intended to implement Directive (95/46/EC) which is a directive "on the protection of individuals with regard to the processing of personal data and on the free movement of such data". [55] Article 23 of the Directive provides that:

"Member States shall provide that any person who has suffered damage as a result of an unlawful processing or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered."

The interpretation of Article 23 is therefore central to the interpretation of Section 13.

The Court of Appeal held that Article 23 should be given its natural and wide meaning so as to include both material and non-material damage [76]. As the aim of the Directive is to protect privacy rather than economic rights, and to ensure that data-processing systems protect individuals' fundamental rights and freedoms, it would be "strange" if the Directive could not compensate those whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage). Furthermore, the court held that it would be "irrational" to treat EU data protection law as permitting a more restrictive approach to the recovery of damages than is available under Article 8 [77].

As noted above, the wording of section 13(2) of the DPA is quite clear. Under the Marleasing principle (Marleasing SA v La Comercial Internacional de Alimentacion SA [1990] ECJ), courts of Member States are required to interpret national laws in the light of the wording of any relevant EU directive and in a way that will, as far as possible, achieve the result which is sought by the directive. The Court of Appeal held that in this case it was not possible to interpret Section 13(2) in a way that was compatible with the Directive. Section 13(2) was therefore disapplied [105].

Having removed the hurdle that was pecuniary damage, the Data Protection Act is looking like an increasingly useful tool to be employed by lawyers seeking to protect the privacy of their clients. It should be borne in mind, however, that this judgment came early on in this litigation and there is certain to be a whole host of legal and factual issues to be resolved in this particular case.