Speed Read:

  • The Data Protection Act 1998 allows data subjects to claim compensation for breaches of the Act that cause distress, but only where the breach ‘also’ causes damage (s.13(2)).
  • In Johnson v Medical Defence Union, the Court of Appeal stated that this meant that compensation for distress would only be available where a claimant could also show pecuniary loss.  
  • Recent cases have started to erode this principle by awarding "nominal damage" of £1 so as to allow for a more substantial claim for damages for distress.
  • The Court of Appeal in Google Inc. v Vidal-Hall & Ors has ruled that s.13(2) should be disapplied. 
  • Directive 95/46/EC is concerned with protection of privacy, not economic rights: rights to compensation for ‘damages’ should be interpreted accordingly as covering moral damage, not just pecuniary loss.  The EU Charter requires effective remedies for breaches of EU law rights; UK courts must disapply conflicting provisions of national law to give effect to this. This means that s.13(2), which requires pecuniary loss, must be disapplied.
  • The Court also ruled that misuse of private information should be considered a tort, rather than an equitable claim for breach of confidence, and that there was an arguable case that the browser data Google collected was personal data.
  • It seems likely that claims under the Act will increase, but compensation is expected to remain modest.

The Safari claim

Apple’s Safari browser has default settings which block most third party cookies. This effectively prevents ad tech companies from obtaining information about browsing habits of Safari users, unless those users change the browser’s default settings.

In June 2013, a group of claimants issued proceedings against Google Inc in relation to the "Safari workaround". This allowed Google to collect information about the browsing habits of Safari users through cookies without the knowledge and consent of users and contrary to Google’s stated policy that such collection would only occur where a user had expressly allowed this tracking. (The same "workaround" has led Google to spend nearly $40 million in concluding settlements with the US Federal Trade Commission and actions brought by attorneys general of a number of US states).The claimants had been granted permission to serve proceedings out of jurisdiction. Google’s application to set this decision aside was rejected by Tugendhat J in Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB).

Google appealed to the Court of Appeal. The Court of Appeal considered that there were four key issues. One of these issues was the meaning of ‘damage’ in section 13 of the Data Protection Act 1998 (the "Act") and – in particular - whether there can be a claim for compensation for distress where the individual does not suffer pecuniary loss. The Court's judgment can be found here.

The limited rights of the distressed

Section 13 does not refer to pecuniary loss, but states that claimants must have suffered ‘damage’ in order to claim compensation for distress.  The judgment of Buxton LJ inJohnson v Medical Defence Union[2007] EWCA Civ 262 establishes that:

"There is no compelling reason to think that "damage" in the Directive has to go beyond its root meaning of pecuniary loss"

As the Court of Appeal noted in Vidal-Hall, distress is "often the only real damage that is caused by a contravention". The need to show pecuniary loss has meant that successful reported claims under the Act have been few and far between. Since 2013, there has been a line of cases that have sought to limit the effect of this restriction by awarding nominal pecuniary damages, so as to open the door to an award for distress alone.  Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, relating to disclosure of information to credit reference agencies, is a good example of this. In that case the defendant conceded that a nominal damage award was sufficient to allow for an award for distress.  The Court of Appeal has not previously had to consider whether the requirement for pecuniary damage as a precondition for an award for distress correctly implements the Data Protection Directive and is compatible with EU law rights.

The findings of the Court in Vidal-Hall – section 13(2) disapplied as an ineffective remedy.

The Court of Appeal held:

  • It was not bound by Buxton LJ's statements in Johnson v MDU. Buxton LJ concluded that the MDU had not breached the data protection principles; the remainder of his comments about damage were obiter dicta.  Some points in that judgment do cast doubt on this - these are ‘perhaps unfortunate.. but.. no more than that’.
  • "Damage" under Article 23 of the Data Protection Directive should be given a broad interpretation to include non-pecuniary damage, and should not be restricted by any pre-existing national understanding of the term damage - it would be " strange if the Directive could not compensate those individuals whose data privacy had been invaded... so as to cause them emotional distress (but not pecuniary damage)".
  • Although the Marleasing  principle requires national courts to interpret implementing legislation so as give effect to EU law, this does not extend to interpretations which would disregard the clear Parliamentary intent to limit the right to compensation for distress - that was "fundamental" to the legislation.
  • As the right to protection of personal data is protected in the EU Charter of Fundamental Rights, Article 47 of the Charter is also relevant. This requires member states to provide an effective remedy where EU rights are breached and requires courts to disapply any provision that conflicts with the right to an effective remedy, provided that the court does not have to redesign the fabric of the legislative scheme.
  • The Master of the Rolls concluded that "What is required in order to make section 13(2)compatible with EU law is the disapplication of section 13(2), no more and no lessThe consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the [Act]"

What does this mean for the future of data protection claims?

The requirement for claimants to prove ‘pecuniary loss’ has meant that most UK cases where  personal information has been misused have been brought as ‘informational privacy cases’ relying on claims for breach of privacy; breaches of the Data Protection Act have been included for the sake of completeness, but have not been centre stage. Now that the Court of Appeal has effectively removed the barrier to claims for distress alone, we would expect this to change.

In some cases, this may make little difference – as the Court of Appeal noted "if a case is not serious in terms of its privacy implications, then that by itself is likely to rule out any question of recovery... for mere distress."  However, in some cases, the ability to point to specific breaches of the more detailed statute may be simpler than preparing arguments as to why an individual had a "reasonable expectation of privacy" and why disclosure is not justified.  Claims for ‘misuse’ of private information also tend to focus on improper publication or disclosure of data and there are some breaches of the Act that would not easily lend themselves to this type of claim: for example, a failure to ensure data is accurate.

In terms of quantifying potential compensation, it is important to note that previous awards for distress have been relatively low.  In Halliday, Arden LJ held that it was "not the intention of the legislation to produce some kind of substantial award" and the Court of Appeal inVidal-Hall had no expectation that the claims for misuse of information or under the Act could achieve any more than "relatively modest" awards. Whilst controllers may be nervous at the prospect of increased data-subject litigation, they may take some comfort from this comment.

What else did the Court of Appeal consider?

The Court concluded that misuse of private information is a tortious claim. This was important, as the claimants required leave to serve their claim on Google Inc in California, and the relevant court procedural rules only allowed for leave to be granted where the claim is made in tort. (Google had argued that claims for misuse of private information were equitable claims, not tortious).

The Court was also asked to consider whether the browsing data collected by Google amounted to ‘personal data’ – either in all cases, or in those cases where Google held additional data about the browser (such as Gmail account data).  

The arguments submitted by the parties (and by the Information Commissioner, who intervened in the case) included debate as to whether data would be identifiable if it did not contain a name, but contained other unique reference numbers or characteristics; whether data could be personal if the data could possibly relate to multiple users and whether data would be personal if persons other than the immediate controller held the identifying information. There was extensive reference to Article 29 Working Party Opinions and the position of the draft General Data Protection Regulation on these topics.

The Court of Appeal also looked briefly at the Common Services Agency case on disclosure of statistical health data under freedom of information legislation.   The Court of Appeal noted that ‘each [of the parties] say that the case supports their argument. However, none of the parties is able to say with any confidence precisely what the case decides on points that are material here… ‘The case is notoriously difficult and those who have struggled with it will probably sympathise with all of the parties (and seemingly the Court of Appeal) on this.

The Court of Appeal concluded that it did not have to determine these points. It did, however, conclude that there were serious issues as to the law and the facts which should be determined at a full trial.

Finally, Google invited the Court to strike out the claims as an abuse of process – on the grounds that the claimants did not stand to achieve anything of value in the claims and that, given this and the high costs of dealing with the case (Google put its costs to date at £1.2 Million) should it go to trial, it should be struck out. However, the Court had no difficulty in rejecting this noting that ‘the damages may be small, but the issues of principle are large’