A NEW THREAT FOR DATA CONTROLLERS: DATA PRIVACY COURT CLAIMS
Claiming compensation for distress caused by breaches of data privacy law has never been easier.
When we all prepared for and reacted to the GDPR coming into force, our main fear was ICO penalties. But an additional, and very real, threat is on the horizon: a series of English court claims has rendered it easier than ever for people to recover monetary compensation in court for distress caused by a breach of data privacy law.
Surely not many private individuals can afford legal fees to bring a court claim against us?
The recent landmark case of Lloyd v Google (1) makes it a lot easier for an individual to bring a claim on behalf of a represented group. The court gave permission for Lloyd to bring a US-style “class action” against Google in the English courts on behalf of 4 million iPhone users. He alleged that Google dropped cookies on their phones without obtaining consent, seeking a uniform amount of damages without having to prove damage to each individual, significantly reducing the complexity and cost of the claim.
If a breach of data privacy law affects a group of people, individual claimants may feel emboldened to lead a coordinated group claim or bring a wider representative action. In turn, lawyers are more likely to take on that claim for prospective fees contingent on compensation being awarded.
Is there any legal basis to bring a claim for something as general as “distress”?
Yes, and it’s not a high threshold. Article 82 GDPR allows individuals to bring a claim for non-material damage suffered due to a defendant’s contravention of the GDPR. The ICO’s guidance clarifies that this includes distress (2).
In addition, in Vidal-Hall v Google (3), the Court of Appeal held that damages could be awarded for distress and anxiety, even if no financial loss had been suffered.
In TLT v Secretary of State for the Home Dept. (4), a court awarded damages even for fears which were not rational or developed: damages were awarded for the immediate shock of finding out about the breach of data privacy law, and the loss of trust in the offending organisation (and organisations of its type).
But how can a court quantify distress?
In TLT, awards between £2,500-£12,500 were made for 6 asylum seekers whose information was inadvertently published on the Home Office website for 24 hours. The court used the English legal guidelines for quantifying damages for psychological or psychiatric damage suffered in personal injury claims (5) , and held that these should be used as helpful, if not necessarily conclusive, guidance in data privacy distress claims.
Some of these guidelines cause concern:
– If the breach involves special category, or otherwise sensitive, personal information, the more likely (and higher in value) an award.
– Otherwise mundane circumstances can be rendered distressing by applicable circumstances, for example, an individual feeling persecuted or targeted.
-You take your victims as you find them: if a claimant has a pre-existing condition which exacerbates their distress, then the measure of damages will increase exponentially.
How can an individual prove that they have suffered distress?
In Lloyd, the court held that damages are, in principle, capable of being awarded without having to even prove that distress was suffered. Damages can be awarded to compensate an individual for an organisation causing them to lose control of their personal data, in and of itself. The court reasoned that it is well established that personal data has value, so its loss must be capable of valuation.
What does this mean for us?
Think of common contraventions of data privacy law which might cause people distress, such as:
– data security incidents, like unintended loss or disclosure of financial details or criminal hacks;
– badly handled or excessively delayed subject access requests;
– personal information retained for excessive time with no justification; or
– personal data being used in ways which individuals don’t expect or understand.
Your data privacy law compliance structure should be as robust as possible to prevent contraventions and to make it more difficult for claimants to argue that you breached data privacy law.
1:  EWCA Civ 1599
3:  EWCA Civ 311
4:  EWHC 2217 (QB)
5: Found in Gulati v MGN Ltd  EWHC (CH)
If you enjoyed this edition of Essentials, please subscribe to our new update: Big Data
Big Data will keep you up to date with all relevant developments in data privacy law, including the UK’s future relationship with the GDPR, ICO decisions and guidance and its impact on technological developments.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org