Vidal-Hall: Some Links and Thoughts

March 29, 2015

When providing a very {brief summary:} of {i}Google Inc v Vidal-Hall & Ors{/i} [2015] EWCA Civ 311, I promised that a fuller account with analysis of the impact would follow. That promise still holds good. But I think that analysing the impact might take a while and this landmark case genuinely deserves a period of reflection.

There are already excellent accounts of the case and immediate analysis from Jon Baines on his {Information Rights and Wrongs blog:}, Christopher Knight on the {Panopticon blog:} and Alexander Hanff on the {ITsecurity web site:}. I will be looking out for more analysis of the case, especially any negative views of it, and am happy to add more links. In fact, I have just seen Andrew Tibber’s take on the {Bright Stuff blog:}. And this very well rounded piece from Chris Bridges on {Keep Calm and Talk Law:} is well worth reading (with a mug of coffee – it’s long). I see too that Lorna Skinner’s detailed account on the {Inforrm blog site:} has been very favourably received (I confess that I have yet to read it). There is an interesting analysis from an EU law perspective from Steve Peers {here:}

I remain uncertain about both the radical interpretative method used by the Court of Appeal (the DPA, s 13(2) has been declared dead) and the wide impact of the judgment.

To take the second point first, I have often moaned about the ICO’s ‘light touch’ on enforcement being close to lackadaisical and it has been pointed out that there’s no enforcement like the prospect of a million minor actions for breach. But I am not sure I want to see large-scale insolvencies to flow from wide-ranging data breaches. The facts of {i}Vidal-Hall{/i}, where Google undermined the users’ attempts to protect their privacy, seem to justify material recompense and those extreme facts may lead us down a road that takes us somewhere we do not want to go. Whenever I buy a defective product, I am guaranteed to slip into grumpy mode and complain about the fact that the seller should come to my house, collect it and supply a replacement (and a cheque for the time I wasted assembling/reading the manual etc). And so they darn well should, but since I don’t want all the retailers to go bust or increase their prices, I drive into town and take the goods back. I think there is a parallel – one might also refer to the minor assaults in travel on the Tube; there is a point where the minor nature of the damage suffered does not justify the damage to society that the provision of a full remedy would allow.

It is that balance that Parliament was seeking to address in s 13(2) and it was bold of the Court of Appeal to consign it to dust. I cheered when I saw the {i}Vidal-Hall{/i} result but I am not so sure now. Was it really not possible to read s 13(2) down? I think we are many appeals away from knowing for sure.

As Jon Baines suggests, we might see the Vidal-Hall judgment as the moment when data protection breach ambulance chasers came into being. Come to think of it, the ambulance chasers can go back in time – claims do not have to start now but could cover any recent breach. There might, just possibly, be a few people who didn’t fully comply with the ‘cookie law’ – are they fair game?