UK High Court allows proceedings against Google for privacy breaches

Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB) (16 January 2014)

Summary

The High Court of Justice has allowed a group of claimants to issue legal proceedings in the UK against US-based Google Inc in regards to the tracking and collation of information about their internet usage. Justice Tugendhat held that the UK courts had jurisdiction to hear the claims and that there is a tort of “misuse of private information”.

Facts

Google collects information from users of its services and analyses it to determine what their interests are likely to be. This information is then used to create targeted advertisements. However, unlike many other internet browsers, all versions of Safari made available by Apple since the summer of 2011 had default privacy settings that blocked Third Party Cookies. The main reason for these settings was to prevent advertising-related tracking. As the default block on Third Party Cookies would prevent some popular web functions, Apple implemented certain exceptions to the default block. Google’s DoubleClick ID Cookie exploited these exceptions to obtain Safari users’ personal information.

The claimants alleged that Google misused their private information, and acted in breach of confidence, and/or in breach of the statutory duties under the Data Protection Act 1998 by tracking and collating information relating to the claimants’ internet usage on the Apple Safari internet browser between summer 2011 and February 2012, without the claimants’ knowledge or consent. The claimants were all resident in England and Wales (“the jurisdiction”) during that period.

The claimants alleged that they suffered acute distress and anxiety when they learnt that their internet usage information was being used to create targeted advertisements and that third parties who had used their devices or viewed their screens may have (or had) become aware of the claimants’ personal characteristics, interests, wishes or ambitions due to such advertisements.

As Google Inc is a corporation registered in Delaware and its principal place of business is in California, Google could not be served within the jurisdiction in accordance with the Civil Procedure Rules. The claimants were granted permission by the Master to serve Google out of jurisdiction, in California. Google applied to the High Court for an order setting aside the permission and declaring that the Court had no jurisdiction to try these claims.

Decision

To obtain permission to serve out of jurisdiction, the Civil Procedure Rules require a claimant to state which ground in para 3.1 of Practice Direction 6B is relied on. The claimants relied on the grounds in paragraphs 3.1(2) (where a claim is made for an injunction) and (9) (where a claim is made in tort). The claimants needed to show that they had an arguable case that the claim comes within the ground relied on, that there is a serious issue to be tried on the merits of the claim, and that England and Wales is the appropriate forum for the trial of the dispute.

Ground 3.1(2) (claim for an injunction)

Justice Tugendhat held that the claim for an injunction failed on the basis that there was no appreciable risk that Google would in the future interfere with the claimants’ rights. Google provided evidence that it had ceased the conduct complained of and had destroyed the information of the claimants.

Ground 3.1(9) (claim in tort)

Under the paragraph 3.1(9) ground, “A claim is made in tort where (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within jurisdiction.”

Justice Tugendhat held that, following the decision in Kitetechnology, it is established that “a claim for breach of confidence is not a claim in tort”. However, the position is not the same in regards to misuse of private information.

A tort of misuse of private information

Justice Tugendhat noted that while Wainwright v Home Office [2003] 3 WLR 1137 made it clear that there is no general tort of invasion of privacy in England, “it would not be correct to say that the specific tort of misuse of private information is unknown in English law”. His Honour relied upon the judgments of Lord Nicholls in Campbell v MNG Ltd [2004] 2 AC 457 and in OBG Ltd v Allan and Douglas v Hello [2008] 1 AC 1. In Campbell, Lord Nicholls noted that:

The common law or, more precisely, courts of equity have long afforded protection to the wrongful use of private information by means of the cause of action which became known as breach of confidence. … This cause of action has now firmly shaken off the limiting constraint of the need for an initial confidential relationship. … Now the law imposes a ‘duty of confidence’ whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential. … The essence of the tort is better encapsulated now as misuse of private information.

In OBG, Lord Nicholls further clarified the existence of a separate cause of action for misuse of private information. Justice Tugendhat observed that “there have since been a number of cases in which misuse of private information has been referred to as a tort consistently with OBG and these cannot be dismissed as all errors in the use of the words ‘tort’”. He held that the tort of misuse of private information is a tort within the meaning of ground 3.1(9).

“Damage” includes distress and anxiety

His honour accepted the claimants’ submissions that “damage” within ground 3.1(9)(a) should be given its “natural and ordinary meaning” and that it is not confined to physical or economic harm; the distress and anxiety alleged by the claimants was sufficient. Justice Tugendhat held that the claimants’ claim for misuse of private information fell within ground (9)(a) and also 9(b).

However, while Justice Tugendhat also found that the claimants should be permitted to rely on ground (9) in relation to the Data Protection Act 1998 claims, he determined that the meaning of “damage” under section 13 of the DPA was a controversial question of law in a developing area and should be determined at trial, not on this application to set aside. His Honour’s preliminary view was that damage in section 13 does include non-pecuniary damage. Justice Tugendhat noted that the European Court of Human Rights case Copland v UK [2007] ECHR 253 supported the complainants’ submission that the alleged damage (stress and anxiety) can amount to damage sufficiently serious to engage the claimants’ article 8 rights (respect for private life and correspondence). His Honour suggested that if damages for distress are not recoverable under the DPA without financial loss, then there would be a difference between claims against public authorities (where a claim under the Human Rights Act 1998 (UK) is available) and claims against others, such as Google.

The claimants’ permission to serve out of jurisdiction was upheld. Justice Tugendhat was satisfied that there is a serious issue to be tried in each of the claimants’ claims for misuse of private information and in relation to the DPA claim. He also found that the claimants clearly established that the jurisdiction was appropriate to try each of the claims.  

Commentary

This decision signifies an important step for privacy protection in the UK. The existence of a distinct tort of misuse of private information would expand opportunities for claimants to sue overseas-based companies for invasions of privacy. It may also be easier for claimants to get damages using a privacy tort claim rather than breach of confidence, although the UK courts have recently begun awarding damages for distress in breach of confidence cases (such as in Campbell).

The Vidal-Hall decision is unlikely to have much impact in Australia as the UK jurisprudence is driven by the Human Rights Act and the obligations under the European Convention on Human Rights. Also, the development of the common law protection of privacy appears to have stalled in Australia. In 2001, the High Court held in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd that Victoria Park Racing and Recreation Grounds Co Ltd v Taylor does not stand in the way of the development of a tort of invasion of privacy. Two lower court decisions (Grosse v Purvis [2003] QDC 151 in Queensland and Doe v Australian Broadcasting Corporation [2007] VCC 281 in Victoria) have recognised such a tort, but the development of the tort has not been confirmed by an appellate court.

In June 2013, the Commonwealth Attorney-General asked the Australian Law Reform Commission to conduct an inquiry into ways in which the law might prevent and redress serious invasions of privacy in the digital era. The ALRC was asked to provide recommendations for the legal design of a statutory cause of action for serious invasions of privacy as well as recommendations for other legal responses to privacy breaches. The ALRC will provide its final report by June 2014. This may lead to the legislature filling those gaps in privacy protection that the Australian common law fails to cover.

This decision is available online at: http://www.bailii.org/ew/cases/EWHC/QB/2014/13.html

Miranda Webster is a volunteer at the Human Rights Law Centre.