By Daniel J. Solove
This post is co-authored by Professor Neil Richards
The case illustrates several fascinating aspects of the developing global law of privacy, with big implications for online marketing, Big Data, and the Internet of Things.
At first blush, it is easy to see the case as one more divergence between how privacy is protected in the EU and US, with a European Court once again showing how much eager it is to protect privacy than an American one. But the biggest takeaway from the case is not one of divergence; it is one of convergence!
Privacy law is becoming a global stew. So bring your appetite and read on. . .
The court ruled that companies can be liable for violations of the English Data Protection Act of 1998 even when the violations don’t cause financial harm. The Data Protection Act will now be a significant source of litigation (and liability) for companies that use data in ways other than they have disclosed to users.
US privacy law has struggled over when to recognize harm for privacy violations. In many cases, courts require a showing of financial harm. In a US case involving the Google Safari incident, the court held that the plaintiffs couldn’t prove harm because they couldn’t prove an interference with their ability to “monetize” their data. See In Re Google Inc. Cookie Placement Consumer Privacy Litigation, 988 F.Supp.2d 434 (D. Del. 2013).
But in other cases and contexts, courts recognize emotional distress as a harm. The FTC, although it must establish harm when claiming a practice is “unfair” under Section 5 of the FTC Act, has a broader conception of harm than is often found in tort law.
If we step away from US tort law and look at US law as a whole, we see that it is quite common for the law to protect privacy and security without a requirement of harm. Many data breach notification laws apply regardless of harm; HIPAA and other privacy statutes are enforced without regard to harm. Many other federal and state statutes provide for damages even without a showing of harm.
Privacy Law Is Becoming a Global Stew
The court in Google v. Vidal-Hall recognized clearly for the first time under English law that there is a tort action for the “misuse of private information.” This tort, a relatively recent development in English law, is an offshoot of the longstanding common law tort of breach of confidence. Vidal-Hall opens up new recipes of liability for companies that improperly use the data of their users or customers.
At first, one might think: There go those privacy-crazed Europeans again, cooking up even more privacy protections! But ironically, the Vidal-Hall case shows how US tort ideas are influencing EU law.
To understand what’s going on, we need to relate the story of how tort privacy law developed in the US and England. We’ll be brief here, but if you’re interested in a more detailed account, you can read our article from 2007 — Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal 123 (2007).
In 1890, Samuel Warren and Louis Brandeis wrote one of the most influential law review articles ever — The Right to Privacy, 4 Harvard Law Review 193 (1890) (see here for more about the article). They argued that new tort actions were needed to protect privacy. At the time they wrote, there was tort of breach of confidence in the shared common of Britain and the US. That tort protected against betrayals of confidential information shared between people. Warren and Brandeis were concerned with the media, and they realized that many privacy violations might not be done by people in a relationship but by complete strangers. The breach of confidence tort wasn’t enough because it involved a relationship between the parties. So Warren and Brandeis suggested that tort law was nimble enough to start recognizing protections from privacy violations by strangers.\
The article created a big divide between the US and England. In the US, many new torts sprung up in response to their article over the next century. But curiously, the breach of confidence tort was largely forgotten. In England, privacy law developed slowly out of notions of breach of confidence, focusing on expectations in relationships. There were repeated attempts to recognize new privacy torts, especially the torts inspired by the Warren and Brandeis article. Courts repeatedly refused to recognize them; doing so seemed too newfangled and brash.
Ironically, US and English law began from the same body of law before they diverged. The very same case that Warren and Brandeis used as the primary authority in their article – a case called Prince Albert v. Strange involving Queen Victoria’s private pictures – is the same case that forms the backbone of English breach of confidence law.
Now the law in these countries is converging. In the US, the breach of confidence tort (commonly known as breach of confidentiality) began a resurgence during the past few decades. It has been akin to finding a priceless work of art in the attic! The tort in the US has started to develop some similar dimensions as the English tort. English tort is broadening to encompass the harms that the US privacy torts redress. Even when rejecting the US privacy torts, English courts keep creeping closer. They have expanded the breach of confidence tort so that in practice, the tort protects against privacy invasions by strangers. The tort has expanded into a giant umbrella that covers many other situations.
Now, in Vidal-Hall we ironically see an English court embracing the US-style approach of recognizing new tort actions. Once again, the breach of confidence tort is stretched to encompass a new protection of privacy – misuse of private information. This is akin to the profound genesis of torts that occurred after Warren and Brandeis’s article that the English courts rejected as a bit too brash for their refined sensibilities. Interestingly, the Warren and Brandeis torts have ossified in the US, with little new development. But over in the UK, the evolving problem-solving spirit of the common law seems to be stronger than ever. Britons are now the boldly innovative ones, and with each case seem closer to embracing the spirit behind the Warren and Brandeis article.
An International Feast
Vidal-Hall is not unique. We see the law of various countries influencing each other all the time.
New countries keep recognizing the Warren and Brandeis torts. And countries are also adopting EU-style privacy laws. US-style data breach notification laws are increasingly popular – the EU has been hungrily eying US breach notification laws, eager to cook up some of their own.
Also, the Fair Information Practice Principles (FIPPs) were articulated in a 1973 report by a US agency. These form the backbone of many EU privacy laws, as well as the OECD Privacy Guidelines, which form the backbone of many privacy laws around the globe.
What we are seeing globally is the mix of privacy ideas. With Vidal-Hall, a court in the EU is incorporating some tort law ideas from the US – and with a zest that the US hasn’t seen with the privacy torts in a while. When these tort ideas are combined with some EU ingredients, the result is quite a spicy dish.
Broader EU notions of personally-identifiable information are being used in the US, as we see in the new rules for the Children’s Online Privacy Protection Act which now includes IP addresses. The EU also is starting to be influenced by the boldness of US-style enforcement.
The conventional wisdom is that US privacy law is bland and the EU privacy law is piquant, but that’s not true. Each body of law has strengths and weaknesses; each has some very potent ingredients. The chefs may occupy different kitchens, but they are definitely influencing each other. If privacy law is food, fusion is on the menu.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 890,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.
Neil M. Richards is a Professor of Law at Washington University in St. Louis. He is an Affiliate Scholar of the Stanford Center for Internet and Society, and an Affiliate Fellow of the Yale Center for Internet and Society. His book Intellectual Privacy was just published by Oxford University Press.