• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Vidal-Hall v Google

Summary

On 27 March 2015, the Court of Appeal upheld the High Court’s decision in Vidal-Hall v Google which classified misuse of private information as a tort and held that claimants may recover damages under s. 13 of the Data Protection Act 1998 (DPA) for non-pecuniary loss.

It is highly probable that there will be a rise in the number of privacy claims in the wake of this landmark decision as claimants no longer need to show that they have suffered financial loss under s.13 DPA. Previously it had been thought that cases where there was no financial loss were barred from making privacy claims under the DPA. However this decision by the Court of Appeal accords with the recommendation contained in the Leveson report which stated that the right to compensation for distress under s.13 of the DPA should not be restricted to cases of financial loss, but should cover compensation for distress.

Background and facts

The claims related to Google’s use of browser-generated information (BGI) collected from the claimants over a period of around 6 months from 2011 to 2012. During this period the claimants all owned Apple computers and accessed the internet via Apple’s Safari browser.

Google’s DoubleClick advertising platform uses cookies (small strings of text saved on users’ devices) to recognise specific browsers sending BGI. The BGI can then be aggregated and used to deliver targeted advertising to the user.

Apple Safari automatically blocks third-party tracking cookies by default meaning that Google has not obtained the consent of data subjects using Apple Safari before collecting the BGI. The claimants’ claims were based on the allegation that Google had used a workaround to collect Safari BGI, despite Google’s representation that Safari prevented users’ internet usage from being tracked by DoubleClick.[i]

The claimants brought actions for misuse of private information and breach of confidence, and sought to recover damages for anxiety and distress caused by breach of the DPA.

(As a point of note, there has not yet been a full trial of the issues in Vidal-Hall – the High Court and Court of Appeal proceedings considered below arose due to Google being a Delaware company with its principal place of business in California, meaning that the claimants had to obtain the court’s permission to serve out of the jurisdiction.)

The High Court

In the High Court, Justice Tugendhat found that:

  1. the claims for breach of confidence were not claims in tort but that there was a tort of misuse of private information;
  2. there was also a cause of action under the DPA and there were serious issues to be tried in relation to the claimants’ claims that:
    1. the BGI constituted personal data for the purpose of the DPA claim; and
    2. claims for compensation under section 13 DPA do not require proof of financial loss; and
  3. one or both of these causes of action had a reasonable chance of success.

Google appealed against the decision of the High Court. The Court of Appeal identified the issues that were to be considered as:

  1. whether misuse of private information is a tort;
  2. whether damages are recoverable under s.13 DPA when there has not been pecuniary loss; and
  3. whether there was a serious issue to be tried that BGI was personal data.

In brief, the Court answered all four questions in the affirmative and thus upheld the decision of the High Court.

Issue 1 – whether misuse of private information is a tort

The Court summarised the case law to date and noted that the classification of misuse of private information was something that the courts have struggled with. (The significance here was that breach of confidence is an equitable action, so if the claimant’s case fell within this category rather than under the umbrella of tort, the authority in Kitechnology[ii] would prevent the claimants from being able to serve out of the jurisdiction and the non-DPA elements of the claims would fall down.)

After considering the precedents the Court held that there nothing to prevent misuse of private information from being a tort. The Court also drew a distinction between actions for breach of confidence and misuse of private information, as the former protects secret or confidential information and the latter protects privacy.

The Court was keen to point out, though, that this “more natural description” was not revolutionary:

“This does not create any new cause of action. In our view, it simply gives the correct legal label to one that already exists. We are conscious of the fact that there may be broader implications from our conclusions, for example as to remedies, limitation and vicarious liability, but these were not the subject of submissions, and such points will need to be considered as and when they arise.”

Issue 2 – the meaning of damage under the DPA

S.13(1) of the DPA provides that individuals are entitled to be compensated for the “damage” they suffer due to another party’s breach of the DPA. By contrast, s. 13(2) provides that individuals are entitled to compensation for “distress” occasioned by breach of the DPA, but only if they also suffer “damage”, or if the breach relates to data processing for “special purposes”.

The 2007 case of Johnson v MDU[iii] cast doubt on the argument that distress alone was sufficient for a claimant to recover compensation, but the Court held that the relevant comments in Johnson were obiter so it was not bound by this decision. Instead, the Court decided that it should take a broad interpretation of the word “damage” in order to give Directive 95/46/EC (the “Directive”) (which the DPA was intended to implement) its full intended effect, meaning there was no need for the claimant to demonstrate financial loss.

This then raised the issue that the Court’s position on the meaning of “damage” was incompatible with section 13(2) DPA. Under the Marleasing[iv] principle, domestic law should be read to give effect to its underlying EU law roots so far as possible. In this instance the Court felt that it could not read section 13(2) in line with the meaning it ascribed to the Directive, so the Court decided to disapply section 13(2) in line with Benkharbouche[v].

Issues 3 – BGI as personal data

First of all, to be clear, the Court was not in a position to rule on whether BGI is or is not personal data – it only had to decide whether there was a serious case to be tried that BGI might be personal data. Two main arguments were put forward here: whether stand-alone BGI could be personal data, and whether BGI could be personal data when combined with Gmail account data held by Google (despite Google’s protestations that DoubleClick did not do this).

BGI is interesting. Depending on how much and for what purposes one uses the internet, one might generate enough BGI to create an embarrassingly accurate personal profile, but that profile is associated with the browser used, not with the individual, so it will be interesting to see which way this goes at trial. (That said, the increasing use of mobile devices arguably means that BGI is more likely to relate to an individual than ever before.)

The Court considered the text of the Directive, Opinion 4/2007 of the Article 29 Working Party and the ECJ’s decision in the criminal case Linqvist[vi], and held that it was clearly arguable that BGI was personal data under both limbs because:

“…identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user. The BGI singles them out and therefore directly identifies them..”

The Court therefore agreed with Justice Tugendhat on this point, and also with the ICO, which had intervened on behalf of the claimants suggesting that BGI could be classed as personal data under the DPA.

And what now?

First and foremost, the disapplication of section 13(2) DPA has opened the floodgates for a potential tidal wave of data protection litigation. Given that there is no need for claimants to show financial loss the new litigation is likely to be for relatively small sums, but data controllers would be advised to pay attention to their compliance and not to wait for the GDPR before getting their data houses in order, as the costs of defending an action are not necessarily proportionate to the amounts claimd.

The classification of misuse of private data as a tort may not have wide-ranging implications immediately, but as the Court noted, there will be issues of remedies, limitation and vicarious liability which will need to be addressed as and when they arise, and we should certainly expect to hear more about it.

Finally, although the question of whether BGI is personal data remains to be decided, the Court’s comments about individuation are a strong indication that data controllers might be prudent to treat BGI as personal data if they do not do so already.

Google has indicated that it will seek permission to appeal to the Supreme Court, though, so to a certain extent it’s a question of watching this space.

Find the full text of the judgment here.

For more information please contact Nicola Fulford.


[i] There is another question here about how much weight should be ascribed to a setting which is a default rather than specifically chosen by a user – but that’s a debate for another day.

[ii] Kitechnology BV v Unicor GmbH Plastmachinen [1995] FSR 765.

[iii] Johnson v Medical Defence Union [2007] 96 BMLR 99.

[iv] Marleasing SA v La Comercial Internacional de Alimentacion SA C-106/89 [1990] ECR I-4135 CJEU.

[v] Benkharbouche and Janah v Embassy of Sudan and others [2015] EWCA Civ 33.

[vi] Criminal proceedings against Lindqvist C-101/0 [2004] QB 1014.