The ‘Safari Workaround’

Google Inc. v Judith Vidal-Hall and others [2015] EWCA Civ 311, 27 March 2015

The Facts

The three claimants alleged that Google Inc had circumvented Apple’s security settings to install Google DoubleClick ID cookies in order to assess users’ online behaviour and to store this private information online without the users consent.

The Google DoubleClick service allowed online advertisers to access user information in order to send targeted advertisements to the claimants. Third parties were able to see the adverts that were sent, which contained sensitive personal data. Importantly, the claimants thought that the cookies would be blocked by the default setting on Safari and because of Google’s publicly stated position that users would have to give their consent for cookies to access their browser. This process became known as the ‘Safari Workaround’.

The claimants sought damages against Google for anxiety and distress in respect of their claims for misuse of private information and/or breach of confidence on the basis that their personal dignity, autonomy and integrity had been damaged. They also claimed for aggravated damages on the basis that Google should have been aware of the ‘Safari Workaround’ operation or that it was aware of it and chose to do nothing about it.

The defendant applied for an order to set aside service of the claim form and that the court did not have jurisdiction to try the claims. The High Court dismissed this application on the basis that the misuse of private information was a tort for the purposes of the rules governing service out of the jurisdiction, and therefore fell within the Civil Procedure Rules (CPR).

The defendant subsequently appealed against the High Court’s decision.

The Decision

The Court of Appeal upheld the High Court’s decision that the three individuals resident in England can bring a claim against the US based Google In.

The decision was groundbreaking for a number of reasons. The court held that misuse of private information is a tort despite its origins in the equitable claim for breach of confidence. The court disapplied section  13(2) of the Data Protection Act 1998 (DPA) so that damage includes mere distress, and is no longer limited to pecuniary damage. Further, it was held that there was a strong case to answer, and that there was a serious issue to be tried which therefore merit a trial.

The proceedings arose because of the need to serve out of the jurisdiction on Google, and there is yet to be a full trial.