Skip to content

Misuse of Private Information is a Tort Distinct from Breach of Confidence

12 March 2014

In the case of Judith Vidal-Hall & ors v Google Inc [2014] EWHC 13, 16 January 2014, Google challenged the jurisdiction of the English court to hear claims made concerning Google's use of cookies to track users' online activities on the Safari browser.

Tugendhat J's judgment contains a novel analysis of, inter alia, the nature of a "misuse of private information" claim, for the first time considering, and answering in the affirmative, the question whether such a claim is a tort in its own right.

Distinguishing such a claim from a "breach of confidence" has implications both in terms of gateways for service out of the jurisdiction and damages issues. The case also considered issues such as the extent to which additional grounds for service out of the jurisdiction can be added after the initial application before a Master and the type of damage covered by the Data Protection Act 1998.

The claimants are three individuals who claim to have suffered distress following their discovery that Google was, between Summer 2011 and February 2012, using third party cookies in circumvention of Safari's default browser settings. The cookies were applied to track users' online activities and profile individual users into categories (such as "football lovers" or "current affairs enthusiasts").

These categories were then marketed to advertisers subscribed to Google's AdSense service as groups to whom advertisements could be specifically targeted. The claimants each claim to have suffered acute distress and anxiety on realising that the specifically targeted advertisements revealed, potentially to third parties using or viewing their Apple devices, personal characteristics about them, which they each allege to be private and confidential.

The claims against Google were for (i) breach of confidence; (ii) misuse of private information; and (iii) breach of statutory duty under the Data Protection Act 1998 (DPA). This decision of Tugendhat J concerns Google's challenge to the jurisdiction of the English court. In dismissing Google's application in respect of (ii) and (iii), Tugendhat J's decision covers some interesting points of law.

"Misuse of private information" and "breach of confidence"
In deciding whether the claimants had a good arguable case that their breach of confidence and misuse of private information claims fall within the grounds for service out under paragraph 3.1(9) of CPR Practice Direction 6B (concerning claims in tort) Tugendhat J concluded that "misuse of private information" is a tort in its own right within the meaning of paragraph 3.1(9). However, the judge felt bound by previous case law (Kitechnology v Unicor [1995] FSR 765) to hold that "breach of confidence" is not a tort.

This is an interesting decision because it represents a significant judicial step in defining the cause of action for misuse of private information. There is no over-arching cause of action for "invasion of privacy" under English law. As such, traditionally complaints concerning violations of privacy have been brought under the cause of action for breach of confidence, and this had led to something of a division within that cause of action – one strand relating to cases concerning privacy, and the other relating to cases concerning secret ("confidential") information.

The judiciary have, however, seemed uncomfortable with this for a number of years. In the famous case of Campbell v MGN [2004] UKHL 22 (in which Naomi Campbell sued Mirror Group Newspapers for breach of confidence over published photographs of her leaving a Narcotics Anonymous meeting) it was stated that the cause of action for breach of confidence "has now firmly shaken off the limiting constraint of the need for an initial confidential relationship" and that "in doing so it has now changed its nature". It was noted that "now the law imposes a "duty of confidence" whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential" but that "even this formulation is awkward" and the more natural description is that such information is private. The statement was then made that “the essence of the tort is better encapsulated now as misuse of private information" (emphasis added).

Tugendhat J referred to this case and others (such as Imerman v Tchenguiz [2011] Fam 116) and, distinguishing what Google argued to be a contrary finding in the later case of Douglas v Hello! (No 3) [2006] QB 125, found that misuse of private information is indeed a tort in its own right. Whereas in the past judges have considered such a cause of action, and referred to it as a tort, this is the first time the question has been specifically addressed and answered.

Implications of misuse of private information as a separate tort
Following this finding it will be interesting to see whether a significant dichotomy arises between the types of actions brought under breach of confidence, and those brought under misuse of private information. In the first instance it seems likely that parties in privacy related actions will continue to bring their claims under both heads but, looking forward, this may be the beginning of a true fork in the road – for these types of claims.

A key further implication for claimants in misuse of private information actions is that they should now be able to claim tortious damages, as opposed to damages being an equitable remedy in the discretion of the judge (which is the case in actions for breach of confidence). Note the well-known case of Mosely v News Group Newspapers [2008] EWHC 1777 (QB) in which Eady J held that exemplary damages could not be awarded, a large part of the reasoning for which centred on the fact that breach of confidence is not a tort.

Claimants not debarred from relying on additional gateway for service out
The claimants were not debarred from relying on the ground for service out in paragraph 3.1(9) of Practice Direction 6B in relation to their DPA claim simply because they had not relied on it in relation to that claim in their initial application before the Master. Whereas Google may successfully have argued this in the past, Tugendhat J relied on comments made in NML Capital Ltd v Republic of Argentina [2011] UKSC 31 in agreeing with the claimants that this is no longer the law. However, this will not apply in circumstances where the parties should, and have not, had a proper opportunity to put the relevant evidence and submissions of law before the court.

Damages for breach of the Data Protection Act
In relation to the claim for breach of statutory duty under the DPA, the judge called into question previous case law in which it had been found that damages for distress can be recovered under s13 DPA only if pecuniary damage has also been suffered. The judge did not ultimately decide the question as this was something that might arise for decision at trial but gave a preliminary view that "damage" in s13 DPA does include non-pecuniary damage.

Further information
This case summary is part of the Allen & Overy Litigation Review, a monthly update on interesting new cases and legislation in commercial dispute resolution. For more information please contact Sarah Garvey, or tel +44 20 3088 3710.


Client alerts

Already signed up for Client alerts? Click here to access your portal