IP and IT Law Bytes: Data Protection: Misuse of Private Information




The High Court has ruled that three individuals resident in England may bring claims in England against a company operating a search engine for misuse of their private information and breach of the Data Protection Act 1998 (DPA) arising from its exploitation of certain web browser privacy settings.


Everyone has the right to respect for his private and family life (Article 8, European Convention on Human Rights) (the Convention) (Article 8).

Campbell v Mirror Group Newspapers Ltd established the tort of misuse of private information (see News brief “Breach of confidence: Naomi Campbell appeal”, www.practicallaw.com/3-102-8134). Information can be protected if it is obviously private or, where that is in doubt, if disclosure would give substantial offence to a person of ordinary sensibilities placed in similar circumstances to that individual.

Privacy claims can also be based on breach of a duty of confidence or a duty to respect privacy if there is a contractual or propriety right, or a relationship of confidence.

The DPA imposes broad obligations on data controllers and gives broad rights to individuals about whom data is collected. Individuals are entitled to compensation from data controllers for damage or, in some cases, distress caused by a breach of the DPA (section 13, DPA).

Service out of the jurisdiction is allowed when a claim is made in tort and damage was sustained within the jurisdiction or resulted from an act committed in the jurisdiction (Civil Procedure Rule 3.1(9)) (CPR 3.1(9)).


V intended to bring proceedings against G in the UK for circumventing security settings on V’s mobile and desktop devices to install cookies and track V’s online behaviour, without their knowledge or consent.

V claimed that they had not only suffered damage from G accessing their information, but also because the information collected from their devices was used to generate advertisements which were displayed on their screens. V claimed that G had misused their private information and acted in breach of confidence and of its statutory duties under the DPA.

The Master granted V permission to serve the claim form out of the jurisdiction on G in California. G applied to the court for an order declaring that the English court has no jurisdiction and to set aside service of the claim form.


The court upheld the Master’s decision. The court found that V had a good arguable case, based on misuse of private information and breaches of the DPA, that fell within the ground relied on (damage sustained in or resulting from an act committed in the jurisdiction). It also ruled that the misuse of private information is a tort under CPR 3.1(9).

The court did not accept G’s argument that the information was anonymous and that the aggregation of those pieces did not make the information private, so no serious issue of law or fact arose.. Although G did not identify the individuals from whom it collected information, some individuals might be identifiable. The court also acknowledged V’s complaint of being identified by others viewing their screens as persons having the characteristics that can be inferred from the targeted advertisement.

The court held that V’s assertion that the data that G collected was personal data under the DPA was sufficiently arguable. The definition of personal data under the Data Protection Directive (95/46/EC) could arguably include any information about an identifiable natural person.

The court dismissed G's assertion  that damages for distress under section 13 of the DPA could only be recovered if pecuniary loss had also been suffered.

The court found that there was a serious issue to be tried in respect of each claim allowed. As there was a good arguable case that V's Article 8 rights were engaged, they had a right to an effective remedy and this was not overridden by G's rights under Article 10 of the Convention to disseminate information to others.

The court also held that England was the most appropriate forum, as V was resident in England, and bringing proceedings related to a developing area of English law in the US was likely to be very burdensome.


This decision only concerns an application to serve a claim form out of the jurisdiction and may be appealed. However, it has attracted attention because it suggests that behavioural data collected by third-party cookies may be considered personal data, even if it is not connected to other information that directly identifies the individual in question. In addition, if the need for financial loss to exist before damage for distress can be claimed is dispensed with, then this could open the doors for a much wider variety of claims under the DPA. Online services and advertising networks should follow future developments on this case closely.

Case: Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB).

First published in the March 2014 issue of PLC Magazine and reproduced with the kind permission of the publishers.  Subscription enquiries 020 7202 1200.