Mr Justice Tugendhat recently handed down this decision in the UK High Court (Queen’s Bench Division) recognizing the
existence in the UK of a tort of misuse of private information. Recognition of
such a tort is the culmination of many years of the UK courts considering how
best to deal with issues of what are essentially invasions of privacy,
particularly cases dealing with celebrities, and distorting the concept of
breach of confidence in order to accommodate such cases.
A number of matters were considered in the
case but this note will focus on the key issue of the recognition of a tort of
misuse of private information.
This case concerned claims brought by three
users of Google in the UK who alleged that Google had misused their private
information and acted in breach of confidence and their statutory duties under
the Data Protection Act 1998 by tracking and collating information relating to
the Claimants' internet usage using the Safari browser in 2011/ 2012, such as which web
sites they visited, how frequently they visited the sites, how long they spent
on the site and in what order sites were visited.
The essence of their claim is
that Google collected information from their computers, and other internet
enabled devices, regarding their browsing habits. Each Claimant specified in a
Confidential Schedule their individual personal characteristics, interests,
wishes and ambitions, which they used as the basis of the claim that ‘they
suffered distress, when they learnt that such matters were forming the basis
for advertisements targeted at them, or when they learnt that, as a result of
such targeted advertisements, such matters had in fact, or might well have,
come to the knowledge of third parties who they had permitted to use their
devices, or to view their screens.’ [at 22] The Claimants' damage is based upon the
harm caused to them by the fact that their apparent interests (deduced from
their browsing habits) were used to target advertising to them which disclosed
certain information about them based on those interests as evidenced in their
online habits. Those advertisements, and the personal information that they
disclosed, may have or had been viewed by third parties viewing the claimants’
devices. [at 23] Tugendhat J noted [at 24] whilst targeted advertisements which
merely reveal the employment of the user may not cause any damage ‘if the
targeted advertisements apparently reveal other information about the users,
whether about their personalities, or their immediate plans or ambitions, then
if these matters are sensitive, or related to protected characteristics (eg
beliefs), or to secret wishes or ambitions, then the fear that others who see
the screen may find out those matters, and act upon what they have seen, may
well be worrying and distressing.’ Whilst all of the Claimants claimed acute
distress and anxiety, none of them claimed to have suffered any discrimination
or other direct harm.
(It should be noted that the conduct
engaged in by Google during the relevant time had since been discontinued, due
to regulatory sanctions brought by the United States Federal Trade Commission,
which were settled in August 2012 and US state based consumer actions brought
by US State Attorneys-General on behalf of 37 US states and the District of
Columbia).
In order to satisfy the
requirements of the service out rules, the Claimants framed their argument on a
number of grounds, including tort. With respect to this claim, Google argued
that the cause of action based on misuse of private information/ breach of
confidence was not a tort, that no significant physical or economic harm was
suffered by the Claimants and the act complained of was not committed in the
jurisdiction.
The issue of whether the claim was based in
tort is of most relevance to the consideration of the evolution of the privacy
tort. Tugendhat J asserted [at 58] that it was clear that a claim for breach of
confidence is not a claim in tort, Kitetechnology
BV v Unicor GmbH Plastmaschinen [1995] FSR at 777-778. [52] However, the
position may be different with respect to misuse of private information, as
aluded to in Vestergaard Frandsen A/S v Bestnet Europe Ltd [2009] EWHC 1456
(Ch) where Arnold J stated [at 19] that whilst breach of confidence in not a
tort (citing Kitetechnology) ‘Misuse
of private information may stand in a different position’ (citing Campbell v MGN [2004] 2 AC 457 at [14]).
Tugendhat J then cited directly from Lord
Nicholls in Campbell:
‘This cause of
action has now firmly shaken off the limiting constraint of the need for an
initial confidential relationship. In doing so it has changed its nature. In
this country this development was recognized clearly in the judgment of Lord Goff
of Chiveley in Attorney-General v
Guardian Newspapers Ltd (No 2) [1990] 1 AC 109, 281. Now the law imposes a
'duty of confidence' whenever a person receives information he knows or ought
to know is fairly and reasonably to be regarded as confidential. Even this
formulation is awkward. The continuing use of the phrase 'duty of confidence'
and the description of the information as 'confidential' is not altogether
comfortable. Information about an individual's private life would not, in
ordinary usage, be called 'confidential'. The more natural description today is
that such information is private. The essence of the tort is better
encapsulated now as misuse of private information." (emphasis added)’
Tugendhat J then considered the complexity
of issues surrounding the recognition of such a tort in the context of other
decisions and the question of service out of jurisdiction. He observed that the
privacy tort and the equitable action of breach of confidence, although
related, should be treated separately, citing Lord Nicholls in OBG Ltd v Allan and Douglas v Hello! [2008] 1 AC 1 at para [255]: "As the law has developed breach of confidence, or misuse of confidential information, now covers two distinct causes of action, protecting two different interests: privacy, and secret ("confidential") information. It is important to keep these two distinct." [at 67] Tugendhat J further bolsters his recognition of the tort of misuse of private information [at 68] noting:
‘there have since been a number of cases in which misuse of private information has been referred to as a tort consistently with OBG and these cannot be dismissed as all errors in the use of the words 'tort''
After this consideration Tugendhat J concludes
[at 70] ‘that the tort of misuse of private information is a tort within the
meaning of ground 3.1(9).’
With respect to the breach of confidence
claim however, Tugendhat J concludes that he is ‘bound by the decision in Kitetechnology to hold that the claim
for breach of confidence is not a tort.’ [71].
Further consideration was then given to the
question as to whether the Claimants had suffered any recognizable and relevant
damage. Tugendhat J concluded that
damages for ‘distress are recoverable in a claim for misuse of private
information, eg Mosley v New Group
Newspapers Ltd [2008] EMLR 679.’ Therefore the Claimants’ claim for damage
fell within the requirements of the rules relating to service out.
On the question of whether the information
was private, it was submitted on behalf of Google that the information
collected about the Claimants browsing habits was anonymous and not private:
‘The aggregation of such information sent to separate websites and advertising
services cannot make it private information. One hundred times zero is zero, so
one hundred pieces of non-private information cannot become private information
when collected together.’ [115] Tugendhat J rejected this approach, noting that
Google would not have gone to effort to collect and collate this information
unless it resulted in something of value. Further, the fact that Google
personnel do not themselves identify or recognize the identity of people from
whom the data is collected. At some point the Claimant becomes identifiable as
a result of the collation and use of the information, in this case, at the
point where the targeted advertisements become visible on their screen by a
third party. Tugendhat J conceded that not all of the generated information
would give rise to claims of privacy, in the individual cases the particular
types of information identified by the Claimants was private information. (‘These
are not generic complaints. They are complaints about particular information
about particular individuals, displayed on particular occasions (even though
the precise dates and times of the occasions are not identified)’ [at 119].
The novel aspect of this case is the final
recognition of a separate tort of misuse of private information. This has evolved
in the UK as a consequence of the distortion of the breach of confidence action
and the UK Human Rights Act, which required a change of approach to the
balancing of various interests in the disclosure and protection of personal
information. This certainly would not reflect the situation under Australian
law, where the privacy tort has evolved no further than the glimmer in the eye
of the High Court in Australian Broadcasting Corporation v Lenah Game Meats in 2001. Of course, in Australia the ALRC is still considering the introduction of a tort for serious invasion of privacy.