A recent judgement of the English Court of Appeal may have opened the floodgates for claims of compensation following breaches of the Data Protection Act 1998 (DPA) which resulted in emotional distress to an individual, but didn't cause financial loss.
It can be difficult for individuals to sue companies which have infringed their data protection rights. Prior to the decision in Vidal-Hall v Google at the end of March, if they hadn't suffered direct economic loss then trying to bring an action was almost a non-starter.
The case has been widely reported, with much of the focus on the ruling at an earlier stage of the case that UK nationals can sue Google for DPA breaches in the UK courts, instead of having to do it in the US.
However, the case may have far more significant repercussions for companies – it is now far easier to be sued for breaches of the DPA and even more important that you are DPA compliant.
Section 13 of the Data Protection Act 1998 ("DPA") provides that an individual who suffers damage resulting from an organisation's breach of the DPA is entitled to compensation for that damage. Compensation may also be claimed in the event that the breach gives rise to distress as well as damage.
The courts have interpreted section 13 to only award compensation where an individual is able to demonstrate that he or she suffered financial loss in addition to distress. In other words, it has not been enough for the individual to prove that they suffered distress; financial loss is additionally required to trigger a successful claim for compensation.
The case of Vidal-Hall v. Google, in which the judgment was issued at the end of March 2015, represents a significant development in this area, potentially opening the floodgates to a litany of compensation claims for emotional distress following on from DPA breaches.
In that case, the English Court of Appeal considered whether individuals, whose private internet usage data was collected by Google via their Apple Safari Internet browsers using cookie technology without the individuals' knowledge and consent (and therefore in contravention of Google's stated practices), could claim compensation for breach of the DPA under section 13 of the DPA. The individuals had not suffered financial loss. The key issue was if "damage" within section 13 of the DPA was broad enough to cover non-financial loss, such as distress and emotional upset, and, if so, whether it was possible to successfully claim compensation for such "damage".
In interpreting "damage", the court referred to the EU Data Protection Directive (the "Directive") from which the DPA derives. The court examined the term "damage" and considered that it must be given its "natural and wide meaning so as to include material and non-material damage" within its scope. The court remarked that it would be odd if the Directive did "not compensate those individuals whose data privacy had been invaded ... so as to cause them emotional distress" but not financial damage. This was also at odds with the EU Charter of Fundamental Rights (the "Charter"). The court was of the view that the Directive did not make a distinction between emotional and financial damage. Following on from this, the court determined that the Directive had not been correctly transposed into UK law in the form of section 13 of the DPA.
The court therefore had to consider if it would be possible to interpret section 13 of the DPA in a manner consistent with the Directive so as to permit compensation claims for distress alone. The court determined that it was unable to do so, as it was clear that Parliament had intentionally delineated and limited the circumstances in which compensation could be claimed for distress. Given the central importance of the compensation provisions to the DPA as a whole, the court did not regard it as being within its powers to interpret section 13 of the DPA in a manner compatible with the Directive.
The alternative approach – and what the court favoured in the result – was to dis-apply section 13(2) of the DPA on the ground that it conflicted with the rights to privacy and data protection guaranteed by the Charter. By doing so, the court emphasised that compensation would be recoverable under section 13(1) of the DPA for any form of damage – not just financial damage – suffered as a consequence of breach of the DPA.
This represents a significant departure from the position to date where courts have awarded nominal damages of £1 for financial loss for the purposes of allowing compensation claims for distress to succeed. The decision in the Vidal-Hall case could potentially open the floodgates to claims of compensation for breach of the DPA in situations where individuals have suffered distress alone. While it is an English court decision and therefore not strictly binding on the Scottish courts, the fact that it is a decision of the Court of Appeal accords it significant weight in Scotland, and a Scottish court presented with a DPA breach case involving distress alone would be hard pressed to justify not paying due regard to and following the Court of Appeal's approach.
While the decision represents an important development for the DPA (unless Google is successful in its application to appeal the Court of Appeal's decision to the Supreme Court and the Supreme Court overturns the Court of Appeal's decision), the DPA is now in its elder years and is close to being retired in favour of a new DPA, which will be introduced once the EU has finalised its proposals for a new Data Protection law, expected later this year or early next year. If the drafts in circulation in 2014 are anything to go by, the new DPA will likely include an express provision permitting individuals to make compensation claims where the breach gives rise to emotional distress only without the need to provide additional financial loss.
In any case, Vidal-Hall claims for compensation under the DPA will not give rise to high pay-outs any time soon. Experience to date highlights that compensation payments have been low and are not perhaps reflective of the types of payouts that would be expected, particularly since, as the court noted in Vidal-Hall, distress is "often the only real damage that is caused by a contravention" of the DPA, rather than financial loss.
What to do next
If they have not already, organisations should ensure that they audit their DPA compliance to reduce the risk of compensation claims arising. Key to this is ensuring that the fair processing, data security and subject access provisions of the DPA are complied with.