Brand Matters

Brand Matters

Brand Matters

Adam Rose
23 June 2015

Are cookies personal data? Is 'misuse of personal data' a tort? And does a claimant under the Data Protection Act 1998 (DPA) need to show damage, or just distress, to claim damages under section 13?

That's the way the cookies crumble

Are cookies personal data? Is 'misuse of personal data' a tort? And does a claimant under the Data Protection Act 1998 (DPA) need to show damage, or just distress, to claim damages under section 13? These three questions were recently addressed by the UK's Court of Appeal in the long-awaited case of Google v Vidal-Hall.

So what did the court decide?

First, it stated that "we cannot find any satisfactory or principled answer to the question why misuse of private information should not be categorised as a tort for the purposes of service out of the jurisdiction".  Or, to rephrase, positively, misuse of personal data can be a tort, and if so, there was a real and substantial cause of action, and service in the UK could proceed.

Second, and of key importance as an alternative to defamation actions, section 13(2) of the DPA has been found to be contrary to Article 23 of the EU's Data Protection Directive, which the Court said was designed to protect privacy, and not economic rights as such.  As a result, "there is no linguistic reason to interpret the word 'damage' in article 23 as being restricted to pecuniary damage" and so distress alone is sufficient cause for a claim under the Act.  In fact, the court went further, finding that section 13(2) (which requires damage to be proved, and does not allow a case to proceed on distress alone) was incompatible with Article 23, and so "what is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less."  RIP, section 13(2)!

Finally, the court held that cookie and browser generated data is almost certainly personal data. This is entirely uncontroversial, and yet the subject of enormous debate. The court decided that it is clearly arguable that browser generated data is personal data under section 1(1)(a) of the DPA (a view supported by the Article 29 Working Party and the European Court of Justice's decision in Lindqvist).  Google argued otherwise, despite serving its browsers adverts directed at whatever they most recently looked at through its collection of browser generated information. It argued this did not amount to processing personal data and unsurprisingly failed.

The case may well be appealed; Google has a lot to lose, basing much of its advertising revenue on the clever use of cookies, and it risks the additional loss of the ability to rely on its 'we're based elsewhere' argument (and avoid any of the Practice Direction 6B gateways) to avoid service of proceedings in the UK.

So, does this case give those 'distressed' a good ground for bringing an alternative or additional claim to a defamation claim? Section 32 of the DPA (the defence of processing for the special purposes of journalism) has never excluded a section 13 claim, as such, and so it is arguably more open to claimants – whether or not they can show a pecuniary loss – to bring a damages claim under section 13. 

Whether (having overcome the hurdle of section 32 where the media is involved) a claimant would be awarded more than nominal damages where no financial loss is suffered will surely be tested, but 'distress' under section 13 feels somewhat less of a hurdle to jump than the new Defamation Act 2013's 'serious harm'.  Certainly, in a non-journalistic environment, where a claimant is distressed by the processing of data, the DPA seems to offer a real addition to a claimant's armoury.

Please contact Adam Rose for more information.