When the levee breaks
By Tim Smith
A Court of Appeal decision may have blown open the floodgates in data protection claims, with potentially dramatic consequences, says Tim Smith
In 1998, when the Data Protection Act (DPA) came into force, many thought that it would primarily be a concern for credit reference agencies and companies engaged in mass marketing. It has now become clear that the
Act extends much further than initially thought.
The Act is a complex piece of legislation which
is hard to navigate. This, together with its onerous requirements, can make compliance a challenge. Comfort was offered to organisations by section 13, which stipulates that it is necessary for
the claimant to have suffered damage before a claim for compensation can be made for a breach of the Act.
On the face of it, the meaning of this provision is extremely clear, and for the first 15 years the Act was in force the courts regularly dismissed claims for compensation for distress caused by a breach
of the Act, on the basis that no damage had been suffered.
That position appeared to shift last year when,
in a number of cases, the Court of Appeal circumvented the effect of section 13(2) by awarding nominal damages of £1 for breaches of the Act, following which it then made substantive awards for distress. This potentially set a precedent for other awards. However, there was some hope that this would not be the case as each of the three cases which had come before the Court of Appeal had relatively unique facts.
Emotional distress
Any doubt about how the courts will approach these matters has now been dismissed by Vidal-Hall, Hann and Bradshaw v Google Inc.
In essence, the court has now completely removed the need for any damage to have been suffered before a claim for distress can be pursued. In this case, the Court of Appeal was asked to determine whether, under section 13 of the Act, there could be a claim for compensation where no financial loss had been suffered.
The claim concerned the operation of what was referred to as the ‘Safari workaround’. The essence of the complaint was that Google collected private information about the claimants’ internet usage through the Safari browser without the claimants’ knowledge and consent. Cookies collated ‘browser generated information’ (BGI), which was used by Google as part of its commercial offering to advertisers.
The BGI allowed advertisers to place advertisements targeted or tailored to the claimants’ interests on the screens of the claimants’ devices. This, in turn, revealed private information about the claimants which was (or might have been) seen by third parties. The collection of the data was contrary to Google’s publicly stated position that this would not happen to Safari
users unless they had expressly allowed it.
An interesting technical question arose as to whether misuse of private information was a tort
(a prerequisite for an order for Google to be served out of the jurisdiction). However, the potentially more important issue was the meaning of ‘damage’ in section 13 of the Act.
The court accepted that on a literal interpretation of section 13 the claimants were not entitled to recover damages because their claims did not fall within either section 13(2)(a) or 13(2)(b).
The claimants in Google argued that the approach taken in the legislation and the cases that had followed was incorrect. The legislation was based on an underlying European directive (Directive 95/46/EC). The claimants argued that the directive was not as limited as the Act, and that accordingly the Act failed to properly implement the directive.
The initial challenge for the court was that it had already considered this issue in Johnson v Medical Defence Union, where Lord Justice Buxton had said that there was ‘no compelling reason to think that “damage” in the directive has to go beyond its root meaning of pecuniary loss’ and where a claim for distress was dismissed on the basis that no financial loss had been suffered.
The Court of Appeal neatly overcame this
by saying that Lord Justice Buxton’s comments were ‘not necessary for his determination of the [previous] appeal’ and were obiter. The court in Google accordingly decided that it was not bound by the Johnson decision.
European law
The Court of Appeal then looked at how the European Court of Justice (ECJ) had dealt with defining the term ’damage’ in other cases. It noted that in relation to package travel the court had provided a right to compensation for non-material damage. The court said that taking the same approach to the construction of the directive in relation to data protection meant that ‘damage’ should include both material and non-material damage.
The court said that since the directive was seeking to provide protection for privacy rather than economic rights, it would be strange if it could not compensate individuals whose privacy had been invaded in circumstances where they were caused emotional distress but not financial loss.
In cases involving invasion of privacy, it was distress which was the primary form of damage, and the court felt that an individual should have
an effective remedy in respect of that damage.
The court noted that the enforcement of privacy rights under article 8 of the European Convention on Human Rights had always permitted recovery of non-financial loss.
The Court of Appeal found that a restrictive interpretation of ‘damage’ would substantially undermine the objective of the directive.
The only comfort it provided to data-processing organisations was that ‘if a case is not serious in terms of its privacy implications, then that by itself is likely to rule out any question of recovery of compensation for mere distress’.
The court took the view that, in the circumstances, ‘if interpreted literally, section
13(2) has not effectively transposed article 23 of the directive into our domestic law’. The question that arose as a result was whether the court had to try to interpret section 13(2) in a way which was compatible with the directive. The court could not interpret legislation in a way that would distort or undermine an important feature of the legislation.
The first issue was therefore whether parliament had deliberately limited the right of compensation. The court felt that it must have done so. As section 13 was a central feature of the Act, and the limit set by parliament to the right to compensation was a fundamental feature of the legislation, the court was not in a position to interpret section 13(2) in a manner that was compatible with the directive.
As a result, the court had to go back to first principles. The EU Charter provides for a right to
an effective remedy and a fair trial under article 47. The ECJ has stated that where there is a breach of
a right under EU law, article 47 is engaged, and that insofar as a provision of national law conflicts with the requirement for an effective remedy the domestic courts can (and must) disapply the conflicting provision (the only exception being where to do so would require the court to redesign the fabric of the legislative scheme).
The court said that ‘what is required in order
to make section 13(2) compatible with EU law is
the disapplication of section 13(2) no more and
no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA. No legislative choices have to be made by the court.’
Dramatic consequences
That is exactly what the court has done.
The consequences are potentially dramatic.
From now on, every time there is a breach of the DPA (for example, where data is lost or stolen, where it is used for purposes that may not have been initially envisaged, or where it is retained for longer than it should have been) there will be a potential claim for damages.
Many of the data breaches we see involve the data of large numbers of individuals. In theory, each of these individuals will now be entitled to pursue a claim. The only defences will be (i) the statutory defence that reasonable care was taken in relation to the data concerned (which is often extremely difficult to establish where there has been a breach), or (ii) that the breach is not serious in terms of its privacy implications (which will be hard to demonstrate where the information is financial, relates to health, or involves serious allegations).
This case dramatically increases the exposure of any organisation that holds or processes information to claims for damages, and the possibility of group actions now seems even higher than it was before. The importance of ensuring that proper data protection policies and procedures are in place, of training staff, and of obtaining appropriate insurance cover could not now be greater. The floodgates seem to have been opened and it may now simply be a matter of waiting until the claims arrive. SJ
Image copyright: antb / Shutterstock.com
Tim Smith is a partner at BLM
@BLM_Law