This note discusses the implications of the recent case in the Court of Appeal, Google Inc v Vidal-Hall & Ors, highlighting an interesting development in the discussion around how businesses should value personal data.

BACKGROUND

Much has been written in the last two years about the proposal for a new EU Data Protection Regulation. As that proposal continues its tortured legislative progress with no great certainty as to when, and in what form, it will emerge, certain key concepts from the proposal have gained traction in the ongoing debate. These include:

  • mandatory breach reporting;
  • the possible levels of fines;
  • the need for express consent for data use; and
  • restrictions on profiling.

Businesses are necessarily concerned about the impact of yet more regulation and risk to manage and whilst each of these concepts has the opportunity to provide enterprise benefit, they can also stifle opportunity and development. For now, at least, we are left in limbo to read only of numerous predictions as to what the law will in fact look like.

RECOGNISING THE POSSIBILITY OF DISTRESS

The Google Inc v Vidal-Hall & Ors case concerned in part the opportunity for an individual to claim damages for distress arising from the loss of personal data. The English law implementation of the existing Data Protection Directive had imposed a hurdle to those claiming to have suffered distress from data loss, in that they first had to prove some actual damage arising from the breach. In 2013, in the case of Halliday v Creation Consumer Finance Limited, the Court of Appeal found a way to circumvent this by awarding nominal damages  of £1 to a claimant, in order to enable the Court to also award £750 compensation for distress.

To coincide with the wait for the new Data Protection Regulation, the exponential interest in cyber-security has arisen, which necessarily (but not wholly) overlaps with the data privacy debate.

The scope of discussion about cyber-crime is broad-ranging as it concerns the transfer of criminal activity into the digital arena: until recently, many would have thought that the need to spend a long weekend in Hatton Garden had been more permanently exchanged for the comfort of an armchair and a lap-top in

an extradition-lite jurisdiction. But the value of data, and more specifically personal data, makes it a high risk asset in respect of which proportionate security measures must be taken. The loss of personal data does not always cause direct damage, but the consequences for individuals trying to recover from the loss by a business of their personal data can be far-reaching.

Commentators (including the author) had for many years  criticised the rationale of data privacy laws which had no effective enforcement regime. Helpfully, that position has evolved to the point where the Court of Appeal in this latest case has decided that the legal requirement for actual damage to have occurred before compensation damages can be awarded is an incorrect implementation of the existing EU Data Protection Directive and should be ignored. The result in this case is consistent with the tone of the proposed Data Protection Regulation: personal data is a valuable asset. It is loaned by individuals to businesses to enable those businesses to process it for a specific purpose, but the

time for a relatively casual attitude to the right to profit from that data use is nearing an end. The need to treat that data with much greater care than has hitherto generally been the case will be demonstrated by regulators and authorities on an ever-increasing basis.

IMPLICATIONS

The position in Google Inc v Vidal-Hall & Ors is subject to any appeal to the Supreme Court, but for now, why and how does it matter?

  1. Lawyers rightly and consistently point out data privacy risks in both an operational as well as transactional context, but one of the reasons that they have traditionally downplayed the potential liability exposure of breach is on the basis that damages for distress have only ever been available under very limited circumstances. The recent  rise in the ICO’s fining powers to £500,000 has elevated the seriousness with which data privacy matters are now treated. However, if the somewhat modest sum of £750 handed out in Halliday is a benchmark award to a claimant, then some simple mathematics based on the number of affected individuals in an “average” data breach could see the consequences of a widespread data loss create a clearly significant liability; some of the more catastrophic data losses by both government and private sector have related to multiple millions of individuals. It may be alarmist to talk of such extreme numbers, but the current direction of travel means that the issue of data loss liability will need to be viewed through an adjusted lens.
  2. The natural consequence here for deal-doers is that requests for indemnities in the context of arrangements affected by data protection rules will rise, and the opportunity to argue that such indemnities should sit within a liability cap will significantly lessen.