Data Protection - Expect an increase in claims
A recent case against internet giant, Google, has paved the way for a substantial increase in the number of claims brought by individuals whose personal data is collected or processed unlawfully.
In the past, a claim could only succeed if the claimant had suffered pecuniary loss. Distress by itself was insufficient. The Court of Appeal has now ruled that the Data Protection Act (DPA) was primarily designed to protect privacy and not economic rights and, therefore, data subjects should not be precluded from claiming compensation for an invasion of their privacy rights merely because they had not suffered a pecuniary loss. Businesses should be aware of the changes. The value of compensation claims is likely to be small but the data controller’s main defence has now been taken away.
The circumstances of the Google claim are reasonably confined to their own facts – the judgment has arisen as a result of Google unsuccessfully appealing against the claimants being granted permission to serve outside of the jurisdiction. However, the wider implications of the judgment could be far reaching.
Facts
Through litigation in the United Stated it has become known that Google has been collecting information about the internet use of Safari (Apple’s internet browser) users though cookies. This is known as browser-generated information (BGI) and is used by Google to assist in targeting advertising.
Safari users had not given their consent to the collection of BGI and the claimants claimed for misuse of private information, breach of the DPA and damages under section 13 of the DPA.
Section 13
Under section 13 (1) an individual who suffers damage due to a breach of the DPA by a data controller is entitled to compensation. However, under section 13 (2) (a) an individual who suffers distress due to a breach of the DPA must also suffer damage to be entitled to compensation. In Johnson –v- Medical Defence Union [2007] EWCA Civ 262 it was held that damage under section 13 amounted to pecuniary loss. In other words, an individual could not recover compensation for distress unless they also suffered pecuniary loss.
The DPA was introduced in order to give effect to Article 23 of the Data Protection Directive (95/46/EC). Article 23 does not contain any such requirement in relation to pecuniary loss.
In Google the court held that the word “damage” in Article 23 had to be construed widely having regard to the underlying aims of the legislation. It held that the DPA was primarily designed to protect privacy and not economic rights. Individuals should not be precluded from claiming compensation for an invasion of their privacy rights merely because they had not suffered a pecuniary loss.
The court held that Johnson was wrong and not binding. Additionally, it held that section 13 (2) must be disapplied.
What does this mean?
The requirement to have suffered pecuniary loss as well as distress meant that relatively few DPA claims were pursued. This could all change. The compensation levels are likely to be fairly small and not all breaches will give rise to a right to compensation but the number of claims is expected to increase. The costs of defending such claims is likely to be prohibitive and settlements based on commercial convenience are likely. Of course, data controllers should seek to avoid claims in the first instance by ensuring that their use of personal information does not breach the DPA.
Posted on 05/06/2015 by Ortolan