Emily Carter considers the increasingly serious consequences of breaching the Data Protection Act 1998 (‘DPA’), including the new provision for compensation claims for distress following the Court of Appeal’s recent decision in Google Inc v Vidal-Hall and others  EWCQ Civ 311.
The stakes have always been high …
All regulatory bodies deal with quantities of personal, and often sensitive personal data, belonging to regulated individuals, witnesses and other individuals whose personal data may be relevant evidence in regulatory proceedings. Small errors can lead to serious data protection breaches. In an environment of increasing focus upon data protection, it goes without saying that all regulators need to take great care handling personal data from gathering initial evidence to the conclusion of regulatory proceedings.
The consequences which may follow breach of data protection obligations are varied, and potentially serious. The Information Commissioner has shown he is ready and willing to take enforcement action, and in extreme circumstances, to bring criminal proceedings with respect to mishandling of personal data. In the last six months, the ICO has taken enforcement action against the Serious Fraud Office and Treasury Solicitors, both with respect to the processing of evidence.
Alongside enforcement action, section 13 of the DPA enables any individual who has suffered damage by reason of any contravention of the DPA to compensation from the relevant organisation. Until now, section 13 has prevented an individual who has suffered distress from being awarded compensation unless they have also suffered damage (other than in particular cases involving journalistic, artistic or literary material). This has meant that compensation has only been available where there has been direct financial loss from the breach.
Whilst there is no central record of claims brought, or awards made, under section 13 DPA, common sense suggests that these are infrequent given that the most usual consequence of the improper processing of personal data will be distress. Therefore, civil claims have provided little effective remedy to individuals, or deterrence for organisations. This is likely to change.
And they have just got higher
Despite the clear wording of section 13, the courts have recently adopted a pragmatic work-around to the prohibition. In 2013, the Court of Appeal accepted in Halliday v Creation Consumer Finance Ltd [2013 EWCA Civ 333 that “nominal” damages were sufficient to enable the courts to make an award for distress under section 13. It awarded nominal damages of £1 and compensation for distress of £750. Following this precedent, the Court of Appeal most recently made a nominal award to enable it to award compensation for distress in the sum of £2,250 in AB v Ministry of Justice  EWHC 1847 (QB). The Court of Appeal went a (big) step further in March this year in Vidal Hall by re-writing section 13 entirely.
In summary, three individuals sued Google for breach of the DPA with respect to the retention and use of Safari browser information without their knowledge or consent. This data was used by Google to enable advertisers to provide tailored advertisements to Google’s customers. In line with the purpose of the 1995 Data Protection Directive which underlies the DPA, the court interpreted article 23 of the Directive to allow compensation for invasion of privacy as well as economic loss. It concluded that this requirement had not been effectively transposed into section 13 DPA. Given that data protection rights are enshrined within the EU Charter of Fundamental Rights, the court had access to the remedy available under the Charter, namely dis-applying section 13 insofar as it was incompatible with the Charter.
The Court gave short shrift to Google’s contention that the allegations were not sufficiently serious or the damages sufficiently significant for it to intervene. Rather, it held that the data being collected by Google was extremely confidential and confirmed that the claimants could be awarded compensation for distress alone.
Google has applied for permission to appeal to the Supreme Court. However, the Court of Appeal’s approach to section 13 is in line with draft EU Data Protection Regulation (expected to be adopted in 2016) which enables damages to be awarded for non-financial loss. Irrespective of the Supreme Court’s decision, it seems inevitable that the door will be opened to claimants making compensation claims for distress.
And what this means for regulators
Whilst the small number of section 13 awards for distress made to date have been relatively modest (especially when compared with the far greater monetary penalties imposed by the ICO), a single breach may give rise to a number of claims.
The good news is that section 13 does not impose strict liability for breach of the DPA. Rather, there is a defence where an organisation has taken “such care as in all the circumstances was reasonably required to comply” with the relevant requirement of the DPA. Whether the care taken was reasonable in the circumstances will depend upon the nature, likelihood of occurrence and consequences of the risks identified. Demonstrating reasonable care was taken will depend on thorough risk assessments having been undertaken, policies put in place and staff regularly trained.
Therefore, whilst the stakes only increase, there are clear steps that an organisation can take to reduce the risk of breach – and to ensure it is ready to respond to either the ICO or an individual in the event of breach of the DPA.