A recent Court of Appeal decision has changed the rules on compensation for data protection breaches, so that compensation may be awarded for a breach, even if no financial losses have occurred. This will have implications for many businesses, including the Travel industry and those who control and hold customer data.
The case of Google Inc v Vidal-Hall, Hann and Bradshaw was decided at the end of March 2015. It was a case concerning Google’s alleged collection of private information (Browser-Generated Information (BGI)) from the Claimants’ internet usage and Apple Safari browser. ‘Cookies’ collected data from their browser, which was used to provide targeted advertisements on their screens, based on their interests and usage. These advertisements revealed confidential information about the Claimants, and could possibly be seen by third parties. This was contrary to Google’s public policy that express consent would be required before BGI could be collected and used.
The Claimants took legal action and alleged misuse of private information, breach of confidence and breach of the Data Protection Act 1988 (DPA) by Google. They claimed that their ‘personal dignity, autonomy and integrity’ were damaged, and so claimed damages for anxiety and distress, as well as damages under section 13 of the DPA for damage and distress. They had not suffered financial losses and so were unable to claim for pecuniary loss.
Issues arose as to which court had jurisdiction, as Google is a corporation registered in Delaware, USA, and its principal place of business is in California. It was decided that the English Courts had jurisdiction, although there were issues regarding service of the Court papers.
On appeal four issues were raised and considered by the Court of Appeal:
- Whether misuse of private information is a tort (which would have implications as to whether service could be made on Google outside the jurisdiction);
- The meaning of damage under section 13 of the DPA, and whether there can be a claim for compensation without pecuniary loss;
- Whether there is a serious issue to be tried that the BGI is ‘personal data’ under the DPA and so justifying service out of the jurisdiction; and
- Whether in relation to the claims for misuse of private information and under the DPA there is a real and substantial cause of action, so that the Court should exercise its discretion for service out of the jurisdiction.
Looking in detail at the first two issues:
- Misuse of private information
The Court decided that misuse of private information is a tort, for the purpose of the rules providing for service of proceedings out of the jurisdiction. This means that the Claimants were able to remedy their civil wrong in the English Courts. The status of tort also means that damages can be awarded as a right rather than as a discretion.
2. The meaning of damage, and compensation without pecuniary loss
The wording of section 13(2) of the DPA requires a Claimant to have suffered pecuniary (financial) loss before they can recover any compensation for distress. The Court considered whether this was compatible with EU Legislation, specifically the Directive 95/46/EC (‘the EU Directive’) which refers to the processing of personal data and the free movement of such data. Article 23 of the EU Directive addresses compensation when a ‘data controller’ contravenes the Directive, and does not distinguish between pecuniary and non-pecuniary damage, unlike section 13 of the DPA. There was an incompatibility between the DPA and the EU Directive regarding the types of compensation which could be awarded for a breach. This meant that the DPA was not fully implementing and endorsing the objectives of the EU Directive, which was to protect the rights and freedoms of individuals regarding the processing of their personal data. As a result, the Court decided that the Claimants would not have an effective remedy if they endorsed the meaning of section 13 of the DPA.
However, because there was a breach of the Claimant’s rights, Article 47 of the EU Charter of Fundamental Rights (‘the Charter’) would have an effect in this case. Article 47 provides that everyone whose rights have been violated has a right to an effective remedy for that violation. These rights include the right to privacy under Article 7 and data protection rights under Article 8 of the Charter. The Court concluded that, if the requirement for pecuniary damage only in section 13(2) was enforced, the Claimants would not have an effective remedy for the breach. Section 13(2) was therefore incompatible with Article 47 of the Charter, and so the Court was compelled to dis-apply it on that basis.
Implications of the Court’s decision
Section 13 of the Data Protection Act 1988 will now be interpreted to mean that, when a claim is made for a breach of the data protection laws, claimants can claim under this section for both pecuniary and non-pecuniary losses. This means that, even if a claimant has not suffered financial losses, they can still claim for damages relating to their anxiety and distress, which was caused as a result of the breach.
For companies and businesses that hold private customer data, including credit card information and other private data, this decision has important implications. Whilst most businesses implement good data protection policies and processes, they should be even more careful now and ensure that those policies are regularly reviewed and improved. It is likely that more claims will be made as a result of any data protection breaches, particularly now that claimants can claim for both financial losses and emotional distress. Claims may be far more costly to businesses.
All businesses who hold and deal with customer personal data should now review and improve their data protection policies. Travel agents in particular, as they hold a large amount of personal data, will need to look at how they handle this data and what else they can do to prevent breaches or errors which could be even more costly.
If you would like to discuss this further, please contact Mayo Wynne Baxter.