In dismissing the appeal, the court considered four issues.

Misuse of private information. The court held that, although it had originated in the equitable action for breach of confidence, a claim for misuse of private information was now to be classified as a tort. This allowed service out under the tort gateway in paragraph 3.1(9) of Practice Direction 6B.

Outside of the service out context, it is unlikely that this confirmation will have significant practical implications, although it may be of some potential relevance when considering the available remedies.

Damages under section 13. Section 13 is structured in such a way that a breach of the DPA entitles the claimant to damages if pecuniary loss is suffered (section 13(1)), but the claimant can only claim for damages for distress if pecuniary loss has also been shown (section 13(2)). That construction was approved by the Court of Appeal in Johnson v Medical Defence Union, which has long cast a baleful glare over the argument that one can recover section 13 damages for distress alone, despite Article 23 of the Data Protection Directive (95/46/EC) (Article 23) (which the DPA implements) not appearing to impose such a bar ([2007] EWCA Civ 262; www.practicallaw.com/3-313-0974).

The court in Google held that the word "damage" in Article 23 had to be given an autonomous EU law meaning. It had to be construed widely having regard to the underlying aims of the legislation. The DPA was primarily designed to protect privacy rather than economic rights and it would be strange if data subjects could not recover compensation for an invasion of their privacy rights merely because they had not suffered pecuniary loss, especially given that the right to a private life in Article 8 of the European Convention on Human Rights (Article 8) does not impose such a bar.

The court found that Johnson was not binding, and was wrong. However, it is not necessary to establish whether there has also been a breach of Article 8 in order to claim under the DPA although, in practice, an act that does not breach Article 8 is unlikely to be serious enough to have caused recoverable distress under the DPA.

As a consequence, the court held that section 13(2) did not properly implement Article 23. It could not be read down; Parliament had intended section 13(2) to impose this higher test, although there was nothing to suggest why it had done so. However, Article 8 of the EU Charter of Fundamental Rights makes specific provision for the protection of personal data, and Article 47 of the Charter (Article 47) requires that there be an effective remedy for the breach of a Charter right.

Privacy and data protection rights are enshrined as fundamental in the Charter, and a breach of the DPA engages those rights under EU law. Article 47 has horizontal direct effect and the domestic court is compelled to disapply any domestic legal provision that offends against the relevant EU law requirement (Benkharbouche v Embassy of Sudan [2015] EWCA Civ 33). The court held that there could be no objections to a disapplication here, because there was only one legislative solution: section 13(2) must be disapplied.

BGI as personal data. Google cannot identify a specific user by name; it only identifies particular browsers. Nonetheless, the court considered that there was a serious issue to be determined at trial as to whether the BGI was personal data under the DPA. It was arguable that the BGI was personal data under section 1(1)(a), as the BGI clearly singles out a user on an individual basis and therefore directly identifies him.

The court noted that it was part of Google's business model to identify individuals in order to effectively target advertising at them. It was also arguable that the BGI was personal data under section 1(1)(b) of the DPA when taken with gmail account data held by Google.

It did not matter whether Google had any intention of amalgamating the data, both on linguistic grounds (the definition of personal data does not require identification actually to occur) and on purposive grounds (having regard to the underlying purpose of the legislation of protecting privacy).

Substantial cause of action. The court held that although claims for breach of the DPA would involve relatively modest sums in damages, that did not mean the claim was "not worth the candle". On the contrary, it found that while the damages may be small, the issues of principle are large. There was no basis for striking out the claim.

The most significant part of the judgment is the decision to strike down section 13(2). This means a likely flood of DPA litigation. Every breach of the DPA now risks an affected data subject seeking damages. Up to this point, the major disincentive has been that there was only very rarely pecuniary loss as well as distress, and so it was not worth bringing a claim. That will now change, and relatively easily given that the vast majority of such claims are issued in the County Court. The loss of the data controllers' main shield in section 13(2) leaves them vulnerable and exposed if they do not ensure that breaches are avoided.

The sums in issue will, on the current law, be small (and there was no suggestion in Google that it need be otherwise), and not every case will involve sufficient distress to warrant compensation, but it will now invariably be worth issuing a claim, or threatening to do so. The legal costs of defending DPA breaches will rise, and there will be an increased advantage to settling disputes promptly.

Should the matter proceed to trial, it also seems likely that there will be some useful developments on the approach to identification in the definition of personal data. For that, and any appeal by Google, we will have to wait and see.