A recent case on what, at first sight, might appear to be a somewhat technical area of the law relating to the ability to serve a defendant outside the jurisdiction of England and Wales could have important ramifications for individual internet users and businesses who send targeted advertisements to those users.

In Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB) the judge made the following rulings and comments which, if followed at trial, will amount to major developments in the law of privacy and data protection:

  1. Whilst there is no law of privacy as such in the UK, there is a distinct tort of misuse of private information which is quite separate from a claim for breach of confidence. The importance of this relates to the ability to serve proceedings on a defendant, such as Google Inc, which is situated outside the jurisdiction of England and Wales. A claim for breach of confidence is not classified as a tort, which makes it harder, albeit not impossible, to bring such a claim against someone outside the jurisdiction.  Since a claim for misuse of private information is now classified as a tort, it is far easier to bring a claim for that misuse against someone situated outside the jurisdiction.
  2. The judge suggested that, contrary to previous decisions of the courts and the wording of section 13 of the Data Protection Act 1998 (DPA), it is possible for a claimant to bring a claim for damages for distress arising out of breaches of the DPA even where no other pecuniary loss has been suffered by the claimant. If this view is followed by the trial judge, it opens up the possibility of claims being made for breaches of obligations under the DPA where the only damage suffered by the claimant is distress, which would mark an important shift in data protection regulation in the UK.
  3. The judge also discussed whether the information obtained by Google amounted to personal data within the meaning of the DPA. The judge suggested that the fact that Google employees did not themselves identify any person from whom Google collects browser-generated information (ie information which is automatically submitted to websites by a browser on connecting to the internet, such as the IP address from which the device is connected to the internet and the specific URL of the webpage that the browser is displaying) was irrelevant. The point was whether any of the claimants was in fact identifiable.
  4. However, the essence of the claimants’ complaint related to the fact that the sending of targeted advertising (which had been generated by reference to browser-generated information) to their computer screens could cause damage and distress if those advertisements were to be seen by a third party who happened to view the claimant’s screen whilst he or she was surfing the internet or, indeed, by someone who was using the claimant’s computer device with their permission.  In that case the claimants argued that the sending of the targeted advertisements which might be seen by those third parties amounted to disclosure to those third parties of information relating to the interests, personalities, ambitions or immediate plans of the claimants.  And of course the claimant to whom that information related would be obvious to the third party who was looking over the claimant’s shoulder or using his or her computer device. The judge was of the view that this gave rise to an arguable claim for breach of the DPA.

It will be interesting to see if the case is appealed by Google Inc, who would no doubt be far happier if any claim by the claimants had to be brought in the USA. Assuming the case goes to full trial, if the claimants’ arguments are successful many businesses (including those operating from overseas) will have to reconsider the manner in which they use the internet to send targeted advertisements to internet users in the UK.

By Adrian Heath-Saunders