When providing a very {brief summary: http://www.scl.org/site.aspx?i=ne41807} of {i}Google Inc v Vidal-Hall & Ors{/i} [2015] EWCA Civ 311, I promised that a fuller account with analysis of the impact would follow. That promise still holds good. But I think that analysing the impact might take a while and this landmark case genuinely deserves a period of reflection.
There are already excellent accounts of the case and immediate analysis from Jon Baines on his {Information Rights and Wrongs blog: http://informationrightsandwrongs.com/2015/03/27/vidal-hall-v-google-and-the-rise-of-data-protection-ambulance-chasing/}, Christopher Knight on the {Panopticon blog: http://www.panopticonblog.com/2015/03/27/google-and-the-dpa-rip-section-132/} and Alexander Hanff on the {ITsecurity web site: http://itsecurity.co.uk/2015/03/uk-court-of-appeal-issues-game-changing-judgment-in-google-safari-case/}. I will be looking out for more analysis of the case, especially any negative views of it, and am happy to add more links. In fact, I have just seen Andrew Tibber’s take on the {Bright Stuff blog: http://blog.templebright.com/2015/03/google-on-rack-for-do-not-track.html}. And this very well rounded piece from Chris Bridges on {Keep Calm and Talk Law: http://www.keepcalmtalklaw.co.uk/vidal-hall-v-google-can-big-brother-be-defeated/} is well worth reading (with a mug of coffee – it’s long). I see too that Lorna Skinner’s detailed account on the {Inforrm blog site: https://inforrm.wordpress.com/2015/03/31/case-law-vidal-hall-v-google-distress-damages-can-be-awarded-under-s-13-dpa-without-pecuniary-loss-and-misuse-of-private-information-is-a-tort-lorna-skinner/} has been very favourably received (I confess that I have yet to read it). There is an interesting analysis from an EU law perspective from Steve Peers {here: http://eulawanalysis.blogspot.co.uk/2015/04/vidal-hall-v-google-strengthening-eu.html}
I remain uncertain about both the radical interpretative method used by the Court of Appeal (the DPA, s 13(2) has been declared dead) and the wide impact of the judgment.
To take the second point first, I have often moaned about the ICO’s ‘light touch’ on enforcement being close to lackadaisical and it has been pointed out that there’s no enforcement like the prospect of a million minor actions for breach. But I am not sure I want to see large-scale insolvencies to flow from wide-ranging data breaches. The facts of {i}Vidal-Hall{/i}, where Google undermined the users’ attempts to protect their privacy, seem to justify material recompense and those extreme facts may lead us down a road that takes us somewhere we do not want to go. Whenever I buy a defective product, I am guaranteed to slip into grumpy mode and complain about the fact that the seller should come to my house, collect it and supply a replacement (and a cheque for the time I wasted assembling/reading the manual etc). And so they darn well should, but since I don’t want all the retailers to go bust or increase their prices, I drive into town and take the goods back. I think there is a parallel – one might also refer to the minor assaults in travel on the Tube; there is a point where the minor nature of the damage suffered does not justify the damage to society that the provision of a full remedy would allow.
It is that balance that Parliament was seeking to address in s 13(2) and it was bold of the Court of Appeal to consign it to dust. I cheered when I saw the {i}Vidal-Hall{/i} result but I am not so sure now. Was it really not possible to read s 13(2) down? I think we are many appeals away from knowing for sure.
As Jon Baines suggests, we might see the Vidal-Hall judgment as the moment when data protection breach ambulance chasers came into being. Come to think of it, the ambulance chasers can go back in time – claims do not have to start now but could cover any recent breach. There might, just possibly, be a few people who didn’t fully comply with the ‘cookie law’ – are they fair game?