Previously, for an individual to bring a claim for distress under the Data Protection Act 1998 (DPA), the individual must have also suffered financial loss. This has meant many individuals have struggled to meet this criterion because as noted by the Court of Appeal in the recent case of Google Inc v Judith Vidal-Hall and others, distress is “often the only real damage that is caused by a contravention.”
In this case, the claimant’s claimed ‘anxiety and distress’ as a result of the capture of their web browsing habits, without their knowledge or consent, through the placing of cookies on Apple Safari browsers. This allowed Google to offer the information collected to advertisers in order for them to select advertisements targeted or tailored to the claimants’ interests. The tracking and collation of the claimants’ browsing information was contrary to Google’s publicly stated position that such activity could not be conducted for Safari users unless they had expressly allowed it to happen.
Although the Court did not rule on whether the claimants had suffered ‘damage’, it held that ‘damage’ did not have to involve monetary damage. It remains to be seen what amounts to non-monetary damage. However, this ruling means that it is no longer a requirement to have suffered pecuniary loss in order to gain an award for compensation under the DPA and may potentially open the floodgates by lowering the threshold for compensate claims under the DPA.
Compensation provisions in the DPA apply to breaches of any requirement of the DPA. Businesses are now encouraged to examine their processes and procedures to ensure compliance with the current law. For example:
- Are you required to notify the Information Commissioner’s Office if you are using personal information?
- Are you telling individuals if their personal data is being used for marketing purposes?
- Are you keeping personal data up-to-date?
- Are you dealing with subject access requests correctly?
The Court in Vidal-Hall confirmed that claims for breach of the DPA under section 13 would involve “relatively modest” sums in damages. However, it is important to note that major data breaches or privacy intrusions could potentially lead to group litigation claims where each individual claimant is awarded a relatively small amount in compensation, could amount to a substantial sums for any organisation. Reputational damage suffered by having to defend a claim is also a concern for organisations.
It should be noted that this appeal was on preliminary issues. A full trial and any subsequent appeal (or appeals) may lead to a different outcome. However, this case and the looming Data Protection Regulation which is expected to be finalised by the end of the year are two good reasons for organisations to review the current processes and procedures they have in place for handling personal data.