English Court of Appeal Expands Privacy Rights

The Court of Appeal in England has upheld a 2014 decision against Google about its scraping of information from users of the Safari browser. It classified a privacy action as a tort that will support a class action (called a ‘group action’ there) and also service out of the jurisdiction. The Court allowed the action to proceed without proof of pecuniary damages. It also held that ‘browser generated information’ (BGI) was personally identifiable information to which the Data Protection Act applied, though it did not contain the name of the person using the browser.

Google v Vidal-Hall : [2015] EWCA Civ 311

The point on damages was the effect of the EU Privacy Directive that required a remedy for a breach of fundamental rights. The English Data Protection Act was too narrow in what it gave remedies for in such cases, and its limits were therefore inoperative in this case.

(i) where there is a breach of a right afforded under EU law, article 47 of the Charter is engaged; (ii) the right to an effective remedy for breach of EU law rights provided for by article 47 embodies a general principle of EU law; (iii) (subject to exceptions which have no application in the present case) that general principle has horizontal effect; (iv) in so far as a provision of national law conflicts with the requirement for an effective remedy in article 47, the domestic courts can and must disapply the conflicting provision; and (v) the only exception to (iv) is that the court may be required to apply a conflicting domestic provision where the court would otherwise have to redesign the fabric of the legislative scheme. (emphasis added)

On the BGI issue, the Court said this:

* BGI information comprises two relevant elements: (a) detailed browsing histories comprising a number of elements such as the website visited, and dates and times when websites are visited; and (b) information derived from use of the ‘doubleclick’ cookie, which amounts to a unique identifier, enabling the browsing histories to be linked to an individual device/user; and the defendant to recognise when and where the user is online, so advertisements can be targeted at them, based on an analysis of their browsing history.

* Taking those two elements together, the BGI enables the defendant to single out users because it tells the defendant (i) the unique ISP address of the device the user is using i.e. a virtual postal address; (ii) what websites the user is visiting; (iii) when the user is visiting them; (iv) and, if geo location is possible, the location of the user when they are visiting the website; (v) the browser’s complete browsing history; (vi) when the user is online undertaking browser activities. The defendant therefore not only knows the user’s (virtual) address; it knows when the user is at his or her (virtual) home.

Here is the summary by the successful law firm (Olswangs LLP).
Here is a detailed analysis by a privacy advocate (whose extracts have been used…).

Any implications for Canada, or would our law have made similar findings? It seems to me that the ‘sue despite no financial harm’ ruling is a difference, but of course we do not have the EU Directive forcing our hand on that point.

What about browser-generated information being PII under Canadian law?

Comments are closed.