The Supreme Court will decide, probably next year, on whether damages can be awarded for distress, but not necessarily financial loss, arising as a result of a data protection breach. Permission has been given to Google to appeal against a judgment of the Court Appeal [1] that claims brought by individuals following a data protection breach could proceed even though the individuals concerned had suffered no financial loss.

The Supreme Court ruling is also likely to analyse whether behavioural data collected by cookies is protected personal data for the purposes of UK data protection legislation. This should be of interest to businesses in the food and drink sector, for whom the use of data analytical tools is becoming increasingly central to marketing activities.

The use of advanced technology in the food and drink sector

The use of advanced technology and data analysis is becoming a fact of life throughout the food supply chain, though nowhere more so than with the big food retailers. For example:

  • The use of in-store cameras to monitor customer activities can provide information that can be analysed to enhance future sales. For example, whether a product is not attracting sufficient attention and needs to be repositioned, whether a product is being picked up and put down – maybe suggesting a problem with the packaging – and whether certain parts of the store are attracting more footfall at certain times of day.
  • Restaurants and cafés habitually offer free wifi. This involves the customer providing their name, email address and often phone number, all of which is personal data.   
  • Loyalty cards, of course, provide a mass of data that can be analysed. The data can be used at a generic level, for example, to track seasonal fluctuations, but also at a very personal level – what food is customer X buying and when is he or she buying it (or not buying it)?  Consequently, highly personalised marketing can be undertaken. This can be combined with the use of location data so that stores can send text messages to their shoppers as they wander around the store.
  • The use of cookies and similar tracking devices on websites serves a similar function, enabling buying habits to be scrutinised.  Other advanced technologies are heading our way such as facial scanning. Although not yet commonplace it could be used to determine the gender and age of a viewer and, when used in conjunction with location data, could be a powerful weapon for food and drink retailers looking to market in a highly targeted way. 

The data protection implications

Understandably businesses are more concerned about how to get the best from cutting edge technology rather than more prosaic issues such as compliance with data privacy laws. The point was made forcibly by the Information Commissioner's Office (ICO) in guidance published in December 2013 highlighting the data protection issues that should be addressed by developers of apps.

"Personal data" is defined in the Data Protection Act 1998 (the DPA) as data that relates to an identifiable living individual.  "Identifiable" means that the individual can be identified from that data, either alone or in combination with other information. Not all marketing methods using advanced technology will be capable of being classified as "personal data" in isolation. However, if any data, in combination with other information, can lead to an individual being identified, this will make the information "personal data".

The DPA sets out how organisations may use personal data, including, for example, that it must be processed fairly and lawfully in accordance with conditions specified in the DPA and that the organisation must maintain appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage, to personal data. Other requirements include that personal data must be accurate and kept no longer than is necessary.

Direct electronic marketing is governed by the very specific rules contained in the Privacy and Electronic (EC Directive) Regulations 2003. As with the DPA, the ICO has published detailed guidance on the interpretation of this legislation in addition to numerous best practice requirements that should be considered.

The consequences of non-compliance can be serious. A fine of up to £500,000 can be imposed for a data protection breach but the greater damage may be the reputational damage that can be suffered by the company in breach. And, as noted above, damages may be awarded in favour of claimants even if – pending the outcome of the Google appeal – not financial loss has been suffered.

What should businesses be doing?

Members of the public want to know how their data is being used, how secure it is and who it is being shared with, and why. To that end, food and drink companies must keep customers informed about how their behaviour is being tracked, both in the online and physical environments, and how their data will be used. Businesses should be upfront about what monitoring they will be doing and explain at appropriate junctures in the sales (and on-sales) journey the benefits to customers and how their anonymity will be protected.

Food and drink companies should ensure that they obtain compliant consents from customers to process or share their data and certainly before it is used to issue direct marketing. For example, where personal data is passed to third parties for marketing purposes companies must ensure that they have express opt-in consent and must provide customers with a clear way to opt-out.