The recent UK Court of Appeal Judgment in the case of Vidal-Hall v Google Inc. raises the spectre of the payment of monetary compensation for breach of data protection law – a spectre many thought had been laid to rest in Ireland by the Collins v FBD Insurances case.
The Vidal-Hall appeal involved three British individuals who claimed that Google collected private information about their internet usage via their Apple Safari browser without their knowledge or consent, and then made such information available as part of its commercial offering to advertisers. The claimants sought damages for anxiety and distress, but did not make any claim for pecuniary loss.
The Court of Appeal had a number of issues to consider, including the issue of whether the meaning of “damage” in section 13 of the UK Data Protection Act 1998 (the “UK DPA”) permits a claim for compensation without proof of pecuniary loss.
UK case law appeared to indicate that proof of pecuniary loss was required for compensation to be payable under section 13. In Ireland, the High Court case of Collins v FBD Insurances (which Google relied on as part of its defence) established that section 7 of the Irish Data Protection Acts 1988 and 2003 (the “Irish DPA”) did not give rise to an automatic right to compensation in the absence of evidence of actual loss or damage.
The Court of Appeal, however, upheld the decision of Tugendhat J in the UK High Court that there was a serious issue to be tried that the claimants’ claims for compensation under section 13 of the UK DPA did not require proof of pecuniary loss, and that therefore there was a good arguable claim for compensation under that section.
The reasoning of the UK Court in reaching its decision is interesting, and may have implications for Irish law in this regard. Any analysis of the decision in an Irish context must be caveated, however, by the following considerations: Vidal-Hall, being a UK Court decision, would not be binding on an Irish Court (although it may have persuasive authority); the ruling relates to an appeal on preliminary issues only, and as such, a full trial or further appeal could lead to a different outcome; and, finally, the wording of section 13 of the UK DPA is very different to that of section 7 of the Irish DPA.
Section 13 of the UK DPA provides, broadly, that a person who suffers damage as a result of a contravention of that act is entitled to compensation for the damage. It also provides for compensation for distress in certain circumstances. Section 7 of the Irish DPA states that data controllers and data processors owe a duty of care to data subjects, and provides for a remedy under the law of torts for breach of this duty of care. The general principles of the Irish law of torts require a person seeking compensation to prove loss or damage arising from the relevant breach.
In interpreting section 13, the UK Court of Appeal examined Article 23 of the EU directive which forms the basis of both the Irish DPA and the UK DPA (Directive 95/46/EC - the “Directive”). Article 23 requires Member States to ensure that any person who has suffered damage as a result of a breach of national data protection provisions is entitled to receive compensation from the relevant data controller for the damage suffered. The Court interpreted Article 23 in the context of the Recitals to the Directive, and in light of articles 7, 8 and 47 of the EU Charter of Fundamental Rights, and concluded that “damage” in Article 23 should be given its natural and wide meaning so as to include both material and non-material damage. The Court also noted that since the aim of the Directive is to protect privacy rather than economic rights, it would be “strange” if the Directive could not compensate individuals whose data privacy had been breached so as to cause them emotional distress (but not pecuniary damage), when distress was in fact likely to be the primary form of damage arising from such a breach.
In Collins v FBD, the Irish High Court examined Article 23 together with the Preamble to the Directive and Article 24 (which requires member states to ensure suitable sanctions are laid down for breach of the Directive), and concluded that the Directive limits the obligation to provide for an entitlement to compensation, to damage suffered by a person who can prove that they have, in fact, suffered actual loss or damage arising from a breach of their rights. It is possible, however (and depending, of course, on the outcome of any full trial on the substantive issues) that in any future case relating to section 7, the Irish Courts will be urged to reconsider that section in light of Vidal-Hall.
Whatever the final outcome of Vidal-Hall, practitioners do not expect the issue of damages for breach of data protection to recede any time soon. In this regard, the Irish Data Protection Commissioner was reported as commenting, at a recent Data Protection conference, on the increasing number of civil law actions taken under section 7 of the Irish DPA, noting that such cases had generally settled pre-trial. It appears likely (and anecdotal accounts amongst practitioners suggest) that such settlements involved the payment of damages.
As such, whilst the current law according to Collins v FBD does not require the payment of damages without proof of economic loss, it appears that organisations in Ireland may, in fact, be paying out damages for such breaches. These developments, together with the Vidal-Hall case, underline the increasing importance for organisations of focusing on data protection compliance.