Skip to main content

The Data Protection Act - a 'distressing' development?

A recent case has opened the door for claims in cases where the individual has not suffered economic damage as a result of misuse of personal…

A recent case in the Court of Appeal has opened the door for individuals to claim compensation in cases where the individual has not suffered economic damage as a result of a misuse of personal information.

Under the Data Protection Act 1998, section 13(2) provides that individuals can claim compensation for data breaches that cause both distress and damage.  It had previously been held in the 2007 case of Johnson v Medical Defence Union that this meant that compensation would only be awarded where an individual could show economic damage as well as distress.  In that case, Lord Justice Buxton held that “There is no compelling reason to think that “damage” in the Directive has to go beyond its root meaning of pecuniary loss” and declined to entertain the Claimant’s suggestion of a wider interpretation of section 13(2) of the Act.  Accordingly, it has since then been understood that “damage” for the purposes of the Act was a wholly pecuniary concept.

However, in the 2015 case of Google Inc v Vidal-Hall and others, the Court of Appeal took an altogether different approach to the meaning of section 13(2) of the Act.  The case centred around the lawfulness of browser usage information being collected by cookies without the user’s knowledge or consent.  In its judgment, the Court of Appeal gave careful consideration to the interplay between the Act and Directive 95/46/EC (which the Act was intended to implement).  Article 23 of the Directive allowed for compensation for “damage”.  Although section 13(1) of the Act allows for compensation in the case of “damage” alone, where there has been distress it is necessary to establish both damage and distress in order for an individual to be able to claim compensation under section 13(2).  The Court of Appeal therefore held that section 13(2) of the Act could not be interpreted compatibly with Article 23 of the Directive.  Accordingly, section 13(2) of the Act was disapplied

As a result of the ruling in the Google Inc case, it now seems to be the case that an individual will be able to bring a claim for compensation solely on the basis of distress caused by a breach of the Act.  This is in turn likely to widen considerably the scope of those able to bring a claim and could potentially lead to a significant rise in the number of claims being made in the courts as opposed to being handled as complaints to the Information Commissioner.  Although permission to appeal to the Supreme Court has been refused, we will have to wait and see if the position as now set out in Google Inc remains as stated.  Data controllers therefore need to be aware of the potential impact of the Google Inc judgement and to take steps to ensure that the security levels applied to personal data are sufficiently robust to minimise the risk of any breach occurring.