News and Events

Court of Appeal upholds High Court decision on Google's Safari workaround

View profile for Torion Bowles
  • Posted
  • Author

Three individuals set out to bring a claim in England against US based company, Google Inc., for misuse of their private information. Torion Bowles, Litigation Solicitor, reviews the case (Google Inc. v. Judith Vidal-Hall and others [2015] EWCA Civ 311), which has not reached trial yet, but has resulted in a number of ground-breaking changes to the law already being decided upon.

The Claimants, who reside in England, all used Apple computers between the summer of 2011 and February 2012. Each Claimant accessed the internet through their Apple Safari browser, creating browser-generated information (BGI). Safari as an internet browser is automatically set up to block third-party cookies and the Claimants therefore assumed these would be blocked. Google, however, managed to “work around” this, allowing third parties to access the BGI, using its DoubleClick ID cookies.

At first instance, the Claimants sought and obtained permission to serve their claim out of the jurisdiction. Google unsuccessfully applied to have that permission set aside, and therefore appealed to the Court of Appeal. There were four main issues raised on appeal:

  • Whether misuse of private information is a tort for the purposes of 3.1(9) of Practice Direction 6B of the Civil Procedure Rules (CPR PD 6B para 3.1(9));
  • The meaning of “damage” under s.13 of the Data Protection Act 1998 (DPA);
  • Whether there was a serious issue to be tried in that the BGI was personal data under the DPA; and
  • Whether there was a real and substantive cause of action in relation to the claims for misuse of private information and under the DPA.

Misuse of Private Information as a Tort

There are various “gateways” which allow a claim to be served outside of the jurisdiction. Under CPR PD 6B para 3.1(9), it is specified that a Claimant may serve a claim form outside of the jurisdiction with the permission of the court where: “A claim is made in tort where – (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction.”

Despite the fact that  a claim in misuse of private information originates from the equitable claim for breach of confidence, the Court held that it was in fact a tort for the purposes of 3.1(9) PD 6B. This could potentially open the floodgates for claims of a similar nature to this, depending of course on the result of any appeal of this decision.

Meaning of “Damage” under s.13 of the DPA 

It was argued by Google that, under s.13 (1) and (2) of the DPA, there must be a claim for pecuniary loss before a claim for non-pecuniary loss can be brought. The Claimants here were solely claiming damages for distress. The Court of Appeal looked at a number of recent cases, many of which have awarded damages of £1 simply in order to get over the s.13 (1) DPA “hurdle”.

The Court of Appeal also looked to the Data Protection Directive (95/46/EC) (the Directive) for guidance. As the Directive had not specified that there must be pecuniary loss (and many other sources also suggested the same), “damage” should be given its autonomous meaning and would therefore include non-pecuniary loss.

In any event, s.13 (2) should be dis-applied (as permitted under Article 47 of the Charter of the Fundamental Rights of the European Union (the Charter)) on the grounds that it conflicts with Articles 7 and 8 of the Charter. Article 7 of the Charter provides that “everyone has a right to respect of his or her private and family life, home and communications” and Article 8(1) states “everyone has the right to the protection of personal data concerning him or her”. The consequences of this are that compensation can now be recovered under s.13 (1) of the DPA for any damage suffered by an individual as a result of a breach of the DPA.

BGI as personal data under the DPA 

In order to establish a breach of the DPA, the information must have been “personal”. The BGI had enabled Google to single out users, as they had obtained the following information:

  • The unique ISP address of the device the user is using;
  • What websites the user is visiting, when they are using them and, if the geo location is possible, where the user is when they are accessing the website;
  • The browser’s complete browsing history; and
  • When the user is online and undertaking browser activities.

The Court held that there is a strong case to argue that it is possible to identify an individual, and the BGI is therefore “personal data” as defined under the DPA. This will have to be concluded finally during the trial process itself.

Substantive Cause of Action 

Google tried to argue that permission to serve the claim outside of the jurisdiction was an abuse of process following Jameel v. Dow Jones and Co [2005] QB 946. They contended that the Article 8 threshold of seriousness had not been met, and additionally the damages recoverable were likely to be so modest compared to the costs of litigation that it would be disproportionate to allow service out of the jurisdiction. The Court disagreed, stating that the Jameel decision had been aimed at litigation which was obviously wasteful or pointless, and this was not the case here. There was therefore a substantive cause of action and the trial is allowed.

If you are looking for advice on any of the issues raised in this article, you can contact Torion or the Litigation team on 02380 717717 or visit their section of the website here.


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.