It is understood that Google and the claimants in the Google -v- Vidal-Hall case have now reached a settlement agreement and consequently the case will no longer be heard by the UK’s Supreme Court. The case is an important one – it has been called the UK’s first successful data protection class action.
What is the case about?
This case was brought against Google in 2013 by three individuals who used the Apple Safari internet browser. They discovered that between 2011 and February 2012 Google had circumvented the browser’s default security settings and collected private information about their internet usage without their knowledge or consent. A novel feature of the case was that none of the claimants had suffered any financial loss or other material damage and instead their claim was for compensation for distress.
The Court of Appeal ruling
The Court of Appeal March 2015 ruling in the matter is significant as it ruled that:
- Misuse of private information constitutes a tort, enabling proceedings to be issued against a party outside the jurisdiction of the UK courts;
- Financial compensation for distress caused by breaches of the UK’s Data Protection Act 1998 (“DPA 1998”) may be claimed, despite there being no monetary loss, the UK legal provision which had up to then prevented this having been disapplied by the Court of Appeal; and,
- It was arguable that browser-generated information can be used to identify an individual (i.e even without the ability to identify an individual by name) and therefore constitutes personal data under the DPA 1998, thereby also enabling proceedings to be issued against a party outside the jurisdiction of the UK courts.
Supreme Court appeal permission
In July 2015 Google was granted permission to appeal by the Supreme Court on the Court of Appeal’s ruling concerning the incompatibility of and conflicts with the DPA 1998 and EU law – permission to appeal the finding that misuse of private information constituted a tort was refused.
The Court of Appeal ruling therefore still stands and is particularly important in that the legal footing upon which to obtain compensation in court claims for data protection infringements has moved forward significantly – data subjects may now bring claims for compensation against a data controller for distress caused where their data is compromised as a result of a data breach (with no need to claim pecuniary loss). This may pave the way in general for class actions in this field.
The issue of compensation is also important under the EU General Data Protection Regulation (“GDPR”). Under the GDPR, as a general principle, any person who has suffered “material or non-material damage” due to an infringement of the GDPR has a right to compensation from the data controller or processor concerned for the damage suffered (to which there are certain defences, as set out in the GDPR). Our FAQs and video on the GDPR can be found here.
The prospect of more compensation claims for distress is therefore now more likely – good compliance to prevent breaches of the DPA can help minimise the potential for claims.
Finally, a new twist may now have arisen following the outcome of the Brexit referendum in cases like Vidal-Hall where UK law is found to be incompatible and in conflict with EU law, the issue being whether the UK’s withdrawal from the EU (if and when this officially comes about) will itself provide fertile grounds for appeal.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784