Over the past few years, Google has been involved in a slate of high-stakes privacy litigation, in issues ranging from the removal of offensive video footage to the rollout of its Street View service to the emerging right to be forgotten. Last week, Google privacy aficionados received another landmark case to add to an increasingly rich library with the England and Wales Court of Appeal decision in Google v. Vidal-Hall. The case involved Google’s alleged circumvention of privacy settings in Apple’s Safari browser, allegations that Google settled with the Federal Trade Commission and state attorneys general in the U.S. for more than $22 million and $17 million respectively.

The UK court’s sweeping 50-page opinion is one of the most significant judicial decisions in the privacy space since the dawn of the Data Protection Directive 20 years ago. Ironically, it comes at a time when the directive is on the verge of sunset, being replaced by the General Data Protection Regulation.

Still, the Vidal-Hall decision is a prize for lawyers who for years have been clamoring for an authoritative interpretation of European data protection law. In Europe, data protection enforcement is sporadic, and very few cases reach the courts. Even the handful of cases that reach their zenith, such as the CJEU decisions in the Lindqvist and Costeja (right to be forgotten) cases, are short on analytical reasoning. Indeed, scholars have been frustrated poring over the CJEU Costeja case for clues about the justifications for the court’s decision, which was delivered in terse, parsimonious terms. The Vidal-Hall decision is different, vindicating the capacity of English common law to breathe life into existing legal concepts and legislation.

One reason the data protection docket is scant is the very issue tackled by the Vidal-Hall court: the narrow definition of privacy harm. This problem also resonates across the ocean in U.S. jurisprudence: Courts define privacy harms narrowly, excluding equivocal notions of emotional distress and focusing on pecuniary losses. Time and again, privacy lawsuits collapse against a wall of uncertainty as plaintiffs struggle to show harm. A plaintiff proves a retailer lost his personal information, including credit card and Social Security numbers, but absent liability for unauthorized transactions, where’s the harm? Another plaintiff proves an online provider surreptitiously collected her personal information for ad-targeting purposes, but how much does this “creepy” feeling cost?  

As Ryan Calo observed, “A privacy harm must be ‘cognizable,’ ‘actual,’ ‘specific,’ ‘material,’ ‘fundamental’ or ‘special’ before a court will consider awarding compensation. Leading commentators to question whether privacy harm is much of a harm at all.”

For all detractors of privacy harms, the UK court now draws a line in the sand. Going so far as to invalidate a clearly phrased statutory provision, Section 13 of the UK Data Protection Act, insofar as it is inconsistent with the European Directive and the EU Charter of Fundamental Rights, the UK court holds emotional distress, or “moral damage,” is recoverable under privacy law. In the words of the Master of the Rolls and Lady Justice Sharp, “Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage).”

In a field that assesses illegitimate behavior according to fickle notions such as “unfairness” and “creepiness,” the expansion of recoverable damages to purely emotional damage is groundbreaking. And given the rhetorical force of the UK court, companies on both sides of the Atlantic should prepare for a potential opening of the floodgates of individual and class actions. In recognizing non-economic damages, the UK court reversed a legal fiction it had traditionally used to award damages in the absence of pecuniary loss—finding nominal pecuniary damage, for example, one pound British, as a basis to award more significant compensation for emotional distress.

In its decision, the Vidal-Hall court reversed another venerable legal fiction, more idiosyncratic to UK law, under which courts have traditionally remedied privacy violations without recognizing a standalone right to privacy. Amazingly for any non-UK jurist, more than 120 years after Warren and Brandeis, 50 years after the Prosser privacy torts and 17 years after the Human Rights Act and Data Protection Act, UK law has up till now declined to recognize privacy rights.

Instead, UK courts “shoehorned” privacy into common law “breach of confidence” claims. They did so even in cases where there was little if any proximity between plaintiff and defendant and no obligation of confidentiality to boot. In a notable case, the House of Lords decided that the Mirror, a British tabloid, breached a duty of confidentiality to supermodel Naomi Campbell, since it should have known that publishing a photo of Campbell near the entrance to a meeting of Narcotics Anonymous “might jeopardize the continued success of her treatment.” Hollywood power couple Michael Douglas and Catherine Zeta-Jones benefited from a similar ruling, which attributed an obligation of confidentiality to an intruder to their wedding, whose illicit photos of the event were published by another British tabloid.

Overcoming what it called “the common law’s perennial need (for the best of reasons, that of legal certainty) to appear not to be doing anything for the first time,” the Vidal-Hall court held that such legal acrobatics would no longer be necessary. It recognized the misuse of private information as a tort, stating that, “this does not create a new cause of action. In our view, it simply gives the correct legal label to one that already exists.” Interestingly, in an article published almost a decade ago, I suggested working in the other direction, applying an obligation of confidentiality to Google with respect to its control over users’ search logs. I wrote there, “Whether based on an implied term of contract between Google and its users or on the private nature of the information itself, Google should account to users in case of disclosure of information to third parties.” Clearly, regardless of the “confidentiality” or “privacy” caption, Google owes its users a set of legal obligations grounded in the trust that those users place in the company.

In its decision, the court tackled another fundamental issue that regularly keeps privacy professionals on their toes: the definition of personal data. Specifically, the court assessed whether browser-generated information (BGI), that is, information about users’ online browsing habits collected via their browser, constituted “personal data” under EU and UK law. The court conducted thorough analysis of the notions of identifiability, anonymization and pseudonymization, holding that “identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user.”

Importantly, the court held that information that allows a company to identify an individual based on matching or aggregating with other information in its possession is personal, regardless of whether the company in fact matches or aggregates. In doing so, it discarded an argument often made by online providers that persistent identifiers single out a device as opposed to an individual user. Presaging the discussion of cross-device tracking, which has emerged at the center of privacy policy-making, the court holds that “the concept of ‘multiple users’ is, in effect, an outdated one. The general position is that devices are used exclusively by a single individual (smartphones and tablets, to take two examples). In practice this means it is typically possible to equate an individual device user with the device itself.”

Gone are the days of a single PC placed on a living room table and serving an entire family. Today, every parent and child has his or her own device, if not several devices. In deciding this matter, the court accepts the plaintiff counsel’s argument that “the best proof of this is (Google’s) own business model which is predicated on the potential for the ‘individuation’ of users.”

One thing is clear: The Vidal-Hall case is a resounding declaration that privacy matters. On privacy skeptics, the UK court decision lands a knockout in three rounds; first in its (overdue) embrace of a privacy cause of action; second in its clarification of the definition of personal data in an age of big data and multiple connected devices and third in its expansion of the concept of compensable harm. If not overturned on appeal, Vidal-Hall, with its broad notions of privacy, harm and personal data, may portend a sea change in privacy jurisprudence, emboldening individuals and regulators in their quest to rebalance the data terrain.

Photo credit: Anthony M., from Rome, Italy, CC 2.0