ICO submits that compensation for data protection breaches must be available as Court of Appeal hears part two of Vidal-Hall v Google
Published 11 March 2016
In 2014, Google appealed the High Court ruling that prompted a new tort of the misuse of private information and the right to pursue compensation for distress caused by breaches of the Data Protection Act 1998 ("DPA").
We reported in December 2014 on the first day of submissions heard by the Court of Appeal which focused on the first ground of appeal, namely whether the misuse of private information is a tort. The second part of the appeal, heard on 2 and 3 March 2015, centred on whether the data in question (Browser Generated Data, or "BGI") was personal information under the terms of the DPA, and if so, whether the claimants are entitled to compensation for distress under s13(2) DPA without having to first establish financial loss.
The case has been deemed so important that the ICO was granted permission to make submissions to the Court. The ICO's position was clear: compensation must be available for moral damage arising out of a breach of the DPA.
Google placed cookies on Apple Safari browsers which enabled Google to access a user's browsing history so that it could target advertisements to that user. The information is known as "Browser Generated Data" (BGI). BGI data tells Google the unique IP address of the device being used, the websites visited, when they were visited, how long for, and, if geolocation tools are used, the location of the user when visiting them. The Double Click Cookie ascribes a unique ID code to the browser, so it also tells Google when the user is online. The arguments heard by the Court focused on whether the information relates to an identified or identifiable person.
Google acknowledged that it has the tools to identify individuals through, for example, data held as a result of individuals' Gmail accounts. However it maintained that the BGI is kept entirely separate from other data, and as such it cannot identify an individual. Google argued that devices are often used by multiple individuals, so while they may be able to identify a device, it is impossible for Google to identify an individual.
Google added that this is a difficult area of public policy is currently under review as part of the debate over the proposed European Data Protection Regulation.
The Claimants argued that it is not necessary to name an individual for the data to be "personal information". It is sufficient to merely identify the machine used such that from the BGI alone, Google is able to identify a human individual, with certain habits and tastes. The Double Click ID Cookies placed on the Safari browser by Google prescribes a unique ID code on that browser which recognises when that particular browser is used to surf the web. Given that one browser tends to be used by one individual, BGI provides sufficient identification to be personal data.
The ICO argued that users are directly identifiable from the BGI. Identification merely requires something that individuates the individual by recognising users in a unique way. BGI provides Google with a "virtual postal address" for the user, their unique browsing history and online habits. Google uses this data to send personalised advertisements to the user. In fact, Google's business plan is predicated on the idea that Google can identify a user in a virtual sense, single them out and target them directly.
The ICO's position was that Data Protection legislation is concerned with protecting privacy: It would be illogical if private internet searches were not protected.
Whilst Google argued that it is impossible for them to individuate a user as devices can be used by multiple people, the ICO argued that, in most cases, a single user uses a device. In any event, the fact that Google cannot identify between data collected from one user, and data collected from multiple users is a simply a problem with Google's business model, and does not mean that none of the data is personal data.
The ICO illustrated this point by giving the example of sending a letter from a fictitious person to a bank. The bank has to assume that this data is personal data, even though the data is not personal data (as it does not relate to a living individual). Rather than assuming none of the data is personal information, in this instance, the bank has to assume all of the data in letters of this type is all personal information.
Compensation for mental distress
The basis of the Claimants' case is that this matter is about privacy and the protection of dignity, not about protecting pecuniary rights. They argued it would be absurd if theData Protection Directive 1995 ("'95 Directive") (from which the DPA 1998 derives) only allows wronged individuals to obtain compensation where a pecuniary loss has occurred. They also argued that it would be anomalous if a claimant cannot obtain compensation for breach of privacy rights by a private entity, which the '95 Directive is designed to protect, whereas compensation could be granted if the claim was framed under Article 8 of the ECHR/HRA if it was against a public authority. The current situation is arbitrary and conflicts with fundamental rights.
Conversely, Google argued that wording of s.13(2) DPA clearly restricts the Claimants' right to compensation for distress as a result of breach of the DPA. It argued that there is no general right to compensation in English law for distress, and that Parliament intentionally intended to restrict the categories of claimants that can bring compensation claims through the choice of wording in s.13(2).
Google argued that it is not appropriate for the Court to interpret the legislation in such a way as to extend damages to categories of individuals that Parliament has expressly chosen not to provide for. Such an interpretation would essentially "re-write" the law, therefore the Court's only option would be to make a declaration of incompatibility and leave the issue for consideration by the legislature as part of the European Data Protection reforms.
The ICO's primary submission was that compensation must be available for moral damage. In support of its submission the ICO argued that:
- "Damage" is not a term used in EU law to refer to purely pecuniary loss. It is a flexible term, depending on the context and aims of the legislation;
- The fundamental aim of the legislation is to protect privacy rights;
- Privacy rights are concerned with the protection of dignity, not financial status;
- A breach of DP legislation is an affront to personality, rather than an affront to the purse. It stands to reason that there should be a remedy for that affront;
- "Damage" should be read widely to include non-pecuniary damage. Otherwise, the remedies in the legislation are drastically limited;
- It is not disproportionate or irrational to require Member States to provide access to compensation for breaches of DP law. It is however irrational to have a difference between the damages that are available where there is financial loss, and where there is not;
- The difference between the available damages results in adisconnect between the fundamental rights in Article 8 of the ECHR (which allows for non-pecuniary damage to be sought against public authorities under the HRA) and those in the DPA;
- Google argued that UK's implementation of the '95 Directive can be justified by reference to the implementation of the law by other Member States. However, the ICO argued that this is not the correct way to interpret EU law. Establishing whether Member States have correctly implemented EU law requires the domestic law to be considered in isolation;
- Domestic legislation cannot be relied upon to achieve a proper and intended result of the law. The ICO submitted that if there is no right to compensation for distress where, for example, a health insurance company accidentally publishes an individual's HIV diagnosis, the legislation is hollow, which cannot be the intended result.
The ICO invited the Court to take the approach endorsed by the Court of Appeal in the recent case of Benkharbouche v Embassy of Sudan, which would allow the Court to use the EU Charter of Fundamental Rights to achieve an appropriate remedy for breach of Article 8 of that Charter. The ICO noted that a series of recent cases have found the Courts straining to find some form of nominal damage in order to provide compensation for distress (e.g. AB v MoJ, CR19 v Police Service of Northern Ireland, Johnson v MDU). This strain can be avoided by simply extending the concept of damage to include moral damage.
This case, which has yet to progress beyond the primary issue stage, has already raised many vitally important issues: the scope of what should be treated as personal data by internet giants (or any organisation holding "big data"), whether financial damages should be awarded for mere distress, and whether the European Charter can trump Parliament's enactment of the '95 European Directive.
We will continue to monitor and report on the outcome of this ground-breaking appeal.