Google Inc is being sued in the High Court by three UK residents for breach of confidence, misuse of private information and for breaches of the Data Protection Act 1998 (DPA) (Vidal-Hall and others v Google Inc  EWHC 13 (QB)). The three allege that without their knowledge Google tracked and collated information relating to their internet use, particularly their use of various Google services, while they were using Apple Safari browsers between 2011 and 2012, and that Google used that data to serve them with targeted ads.
Those acts were alleged to have been committed by US-based Google Inc, rather than any of its EU-based subsidiaries, and so the claims were issued against Google Inc itself.
Although the action is not a class action as such, and is not proceeding under a group litigation order, the claimants’ solicitors have stated that the claims are ‘test claims’ and that some 170 other potential claimants are waiting in the wings, ready to bring similar actions against Google if this one succeeds.
The claims were issued last summer and by December they faced their first real test: the hearing of an interim application brought by Google for a declaration that the High Court in England had no jurisdiction to try the claim and that the claimant should not have been given permission to serve Google Inc outside the jurisdiction. If Google’s application succeeded, the claims would be unable to proceed in England and the claimants would have to bring their claims in the US instead.
The hearing of Google’s application took place in the High Court in December and its judgment was handed down on 16 January.
Google lost its application.
The decision has been heralded in some quarters as of groundbreaking significance on the basis that UK residents will now be able to sue Google Inc directly in the English courts without having to bring their claims in the US. But as Google itself pointed out at the hearing, that is not new. Its argument was not that it could never be sued in the UK. Plainly it could be, and has been, in other cases. Rather, its argument was that these particular claims ought to have been brought, if anywhere, in the US rather than the UK. Instead, the real significance of this judgment is to be found in the reasons given by the court for rejecting some of Google’s more substantial arguments.
In its attempt to persuade the court that the action ought not to proceed in the UK, Google argued that the claims for misuse of private information were not claims in ‘tort’ (and therefore no ‘tort’ as such had taken place within the jurisdiction in the UK) and that no ‘damage’ had been suffered within the jurisdiction (because the alleged damage did not include actual financial loss, but only distress, which Google argued did not qualify for these purposes).
The court rejected the first argument after carefully considering recent case law relating to the misuse of private information. The court accepted that in English law there was no general tort of ‘invasion of privacy’ but held that there is now a distinct tort of ‘misuse of private information’ and that this does constitute a ‘tort’ as such under the Civil Procedure Rules for the purposes of obtaining permission to serve proceedings abroad.
The court also held that damages for distress were recoverable for this tort and that such damage was indeed sufficient for these purposes.
In relation to the DPA claims, however, the question of damage was much more difficult. Although the Court of Appeal held in Johnson v MDU  EWCA Civ 262 that section 13 of the DPA permits recovery of damages for distress only where actual financial damage is suffered, the court refused to accept that this point was settled, particularly where the human right to respect for private life and correspondence is engaged under article 8 of the Convention for the Protection of Human Rights.
The court held that the claimants had a good arguable case on the point, and that since it was a ‘controversial question of law in a developing area’ it would be better for the question to be determined at trial in light of all of the evidence, rather than on the present interim application. The court therefore permitted the DPA claims to proceed to trial.
An authoritative decision on this DPA point will certainly be welcomed by practitioners, given the concerns raised in recent years as to whether these provisions of the DPA inappropriately restrict the corresponding provisions of the Data Protection Directive that the DPA is meant to implement.
With those arguments dealt with, the court appears to have had little difficulty going on to hold that there was a serious issue to be tried and that England was clearly the most appropriate forum. In the process, it rejected Google’s arguments that the browser-generated information was not ‘private’ at all (being anonymous), and that its activities had not actually taken place in the UK.
The court held that although not all of the information was private, at the point when the targeted ads were displayed on the claimants’ screens, private information could be deduced or inferred about them by anyone seeing the ads on screen at that time. Since the ads were displayed on-screen in the UK, the court held that publication was plainly effected here.
And so the claims will now proceed to trial in England, assuming they are not settled first. Until then, lawyers will be left to consider the legal significance of this decision.
Quite apart from its legal significance, however, as a very well publicised demonstration of the fact that US-based corporations can be sued in the UK courts for misusing private information, at least where it is published in the UK, the present judgment clearly has enormous practical significance for US-based online businesses dealing with UK-residents’ personal data and information, giving them all the more reason to follow Google’s own informal corporate motto: ‘don’t be evil’.
Apple and Facebook take note.
Ian Silcock is a barrister at Hardwicke chambers