Category: Insurance case law · Reviewed by Chrissie Anderson, Client Executive · Last reviewed June 2026
The Court of Appeal recognised misuse of private information as a distinct tort and held that distress damages were recoverable under section 13 of the Data Protection Act 1998 without proof of pecuniary loss, disapplying the contrary requirement in section 13(2) as incompatible with EU law.
The claimants, Judith Vidal-Hall, Robert Hann and Marc Bradshaw, were users of Apple iPhones who browsed the internet using the Safari browser between summer 2011 and early 2012. They alleged that Google Inc had, without their knowledge or consent, collected information about their internet usage by means of the so-called “Safari Workaround”, which circumvented the browser’s default privacy settings to enable Google’s DoubleClick advertising cookies to track browsing activity. The data collected was said to constitute “Browser Generated Information” capable of revealing the claimants’ interests, location, social and economic background and other personal characteristics, and to have been used to deliver targeted advertising. The claimants further alleged that the targeted advertisements had been visible to other people who shared their devices, causing embarrassment and distress.
The claimants brought claims for misuse of private information and for breach of the Data Protection Act 1998. They sought damages for distress caused by the alleged contraventions; they did not allege pecuniary loss. Because Google Inc was domiciled in the United States, the claimants required the court’s permission to serve the proceedings out of the jurisdiction. Tugendhat J granted permission at first instance, holding that the claims raised serious issues to be tried and that there was a good arguable case that they fell within the jurisdictional gateways. Google appealed.
Two questions of legal classification arose at the appeal. First, whether misuse of private information was properly characterised as a tort, which mattered for the purposes of the jurisdictional gateway in CPR Practice Direction 6B for service out of the jurisdiction. Second, whether section 13(2) of the Data Protection Act 1998, which prevented compensation for distress unless the claimant had also suffered pecuniary damage (save in limited journalistic contexts), was compatible with Article 23 of the Data Protection Directive 95/46/EC and Articles 7 and 8 of the EU Charter of Fundamental Rights.
The court had to decide whether misuse of private information was a tort for the purposes of the service-out jurisdictional gateway, or whether it remained, as some earlier authority suggested, an equitable claim derived from breach of confidence. If it was a tort, the claimants could establish jurisdiction under the relevant gateway in CPR PD 6B; if it was not, they could not.
A second and equally important issue was the proper interpretation of section 13 of the Data Protection Act 1998. Section 13(1) provided for compensation for damage caused by a contravention of the Act, and section 13(2) provided that compensation for distress was available only where the individual had also suffered “damage” (interpreted as pecuniary damage) or where the contravention related to the processing of personal data for journalistic, artistic or literary purposes. The claimants contended that section 13(2) was incompatible with EU law because Article 23 of the Directive required Member States to provide a remedy for “any damage” suffered as a result of unlawful processing, without limitation by reference to pecuniary loss. They asked the court either to interpret section 13(2) compatibly with the Directive or, failing that, to disapply it.
The Court of Appeal (Lord Dyson MR, Sharp LJ and McFarlane LJ) dismissed Google’s appeal.
On the first issue, the court held that misuse of private information was now properly to be regarded as a tort. Although it had grown out of the equitable action for breach of confidence, the law had developed since the Human Rights Act 1998 such that protection of private information was recognised as a free-standing cause of action with its own constituent elements, distinct from the protection of confidential commercial information. Treating it as a tort accorded with its substantive characteristics and with subsequent procedural and limitation jurisprudence. As a tort, it fell within the jurisdictional gateway for service out of the jurisdiction.
On the second issue, the court held that section 13(2) of the Data Protection Act 1998 was incompatible with Article 23 of the Directive, which required compensation for “any damage” including non-material damage such as distress. Because section 13(2) could not be interpreted compatibly without distorting its plain language, the court disapplied section 13(2) on the basis that it conflicted with directly effective rights under the EU Charter. The result was that distress damages under the Data Protection Act 1998 were available without proof of pecuniary loss.
Permission to serve out of the jurisdiction was therefore upheld and the action allowed to proceed.
The decision establishes two rules of general application. First, misuse of private information is a tort in English law, with the consequences that follow for jurisdiction, limitation, vicarious liability and the procedural treatment of such claims. Second, section 13(2) of the Data Protection Act 1998 was incompatible with EU law in restricting the availability of compensation for distress to cases also involving pecuniary loss; accordingly, distress damages were recoverable for a contravention of the Act without proof of any other form of loss. The reasoning rested on the direct effect of the Charter of Fundamental Rights in disapplying inconsistent national legislation in fields covered by EU law. The decision did not address the quantum of distress damages or whether a uniform per-capita measure would be available — those questions were later addressed in Lloyd v Google LLC.
Vidal-Hall is the foundation case for modern UK data breach litigation and remains highly material to the underwriting and broker analysis of cyber liability cover, notwithstanding subsequent developments. By confirming that distress damages are recoverable without pecuniary loss, the decision opened the door to the wave of low-value data breach claims that brokers and cyber insurers have had to underwrite, defend and settle over the subsequent decade. By confirming that misuse of private information is a tort, it also expanded the categories of cover required, because intentional torts and equitable wrongs are treated differently for the purposes of standard liability policy wordings, vicarious liability analysis and insurability under the public policy rule.
For cyber and data liability insurance the decision has three practical implications. First, brokers should ensure that the definition of “Damages” or “Loss” in policy wordings expressly extends to non-material harm such as distress, anxiety and loss of enjoyment, not only to financial loss; older general liability wordings that contemplate only “bodily injury or property damage” will not respond. Second, the recognition of misuse of private information as a tort means that vicarious liability principles may apply to an organisation for the unauthorised acts of its employees (see Various Claimants v Wm Morrisons Supermarkets plc, where the same principle was applied to a deliberate rogue employee data breach). Third, the decision sits beneath Lloyd v Google LLC: although the Supreme Court there narrowed the scope of representative actions and per-capita recovery, individual data subject claims for distress remain available, meaning that the volumetric risk on a large breach is still real even if the per-claim quantum is constrained.
By Matt Bartlett, Director, on 2026-06-06. Next review: 2026-12-06.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-06. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
SEO meta: - Title: Vidal-Hall v Google Inc [2015] EWCA Civ 311 | UK Insurance Wiki | Apex Insurance Brokers - Slug: /wiki/cases/vidal-hall-v-google/ - Schema: Article + LegalCase + BreadcrumbList
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote