The recent decision by the Court of Appeal in Google Inc v Vidal-Hall  EWCA Civ 311, may have significantly changed the face of Data Protection.
The wording of Section 13(2) provides that a claim can be brought where a breach causes "damage and distress" and the Courts have to date interpreted damage as requiring some pecuniary loss", can you insert: The Court of Appeal however determined that there is no longer any need to demonstrate that a breach has caused financial loss.
The decision of the Court of Appeal in Vidal-Hall, however, states that there is no requirement under Section 13 for financial loss to be suffered before a claim can be made. Accordingly it now appears that it will be possible for a Claimant to bring a claim for compensation where a breach of the DPA has caused them distress.
The Court of Appeal considered that the way in which the DPA had previously been interpreted was incorrect and was in conflict with the EU Charter of Fundamental Rights. The Court considered that the wording Section 13 should be given a wide meaning so as to include both material and non-material damage. As a result, if an individual can demonstrate that a breach of the DPA has caused them distress, they will be entitled to bring a claim under Section 13. The removal of the requirement for pecuniary loss therefore dramatically widens the scope of those individuals who would be entitled to bring a claim.
This decision has widespread implications for all data controllers and changes the way in which the Data Protection Act will be enforced. Those data controllers processing sensitive personal data will be particularly at risk given the nature of the data they hold and the likelihood of distress in the event of a breach. In particular, this decision could have severe implications for those working in the health sector particularly given the ICO's concerns about DPA compliance in the sector generally and the likely distress caused if any health data were to be lost.
Furthermore, in a circumstance where a data breach involving thousands of individuals occurs, this may now result in thousands of small claims for breaches of the DPA being lodged in the Courts.
The Court in Vidal-Hall also determined that a breach of the DPA was a tort. This decision may well therefore lead to a number of further challenges in relation to Section 13, including issues relating to vicarious liability.
The Information Commissioner has been trying to drive forward improved compliance with the DPA over recent years and this decision has significantly shifted the power in favour of data subjects in being able to enforce their DPA rights. Google were refused permission to appeal to the Supreme Court but it remains to be seen whether they will seek permission to appeal in order to clarify the issues within the Judgment given the particular importance to them of cyber security. Unless and until the matter reaches the Supreme Court, all data controllers need to be aware of this change in the law and must do all they can to ensure that DPA compliance is prioritised given the significant extra risk that a breach of the DPA now holds.