With mass personal data breaches now frequent news and a key impending Supreme Court case set to consider the parameters of class action-style claims for compensation for such breaches, Andrew Jones considers how much compensation affected individuals can realistically look to recover for personal data breaches and what the future may bring.
In May 2021, the General Data Protection Regulation (“GDPR”), implemented in England & Wales by the Data Protection Act 2018 (“DPA 2018”), will have been in force for three years (now via the post-Brexit “UK-GDPR” version). The GDPR and DPA 2018 have brought to the public’s attention, more than ever, the issue of the proper protection of personal data. A week now does not seem to pass without press reports of another mass personal data breach: Foxtons Estate Agents and Npower in February, airline IT provider SITA and West Ham FC last month, LinkedIn so far this month.
Article 82 of the GDPR provides a statutory right for compensation for “material or non-material damage” for infringements of the GDPR, including for failings in respect of the protection of personal data. Section 168 of the DPA 2018 expressly makes it clear that compensation for “non-material damage” includes for “distress”. Judging by the increasing amount of advertising being seen, enthusiastic claims farmers and keen third-party litigation funders see mass personal data breaches as a burgeoning area in England and Wales for class action-style claims.
But, if a company breaches its customer’s personal data rights and infringes the GDPR, how much is that claim actually worth to the customer?
The GDPR does not prescribe the levels of compensation that should be provided and there is, at this stage, an absence of any published cases under the GDPR to give guidance. However, the right to claim compensation under Art. 82 of the GDPR is materially the same as the right to recover compensation under section 13 of the Data Protection Act 1998 (“DPA 1998”) which the GDPR/DPA 2018 replaced. Accordingly, caselaw decided under the DPA 1998 may provide useful guidance as to the approach to compensation under the GDPR.
There are a couple points to remember, here, though.
Firstly, compensation claims under DPA 1998 took a rather tortuous path. Section 13 of DPA 1998 was originally drafted to provide compensation for both “damage” and “distress”, but only for distress if there had also been “damage”. In the early case of Johnson v MDU (2007), the Court of Appeal held that “damage” was limited to pecuniary losses. Therefore, claimants could only recover compensation under DPA 1998 for “distress” if they also suffered pecuniary losses. This restriction severely limited the number of potential compensation claims, given easily identifiable pecuniary losses caused by personal data breaches are relatively rare.
Many courts found creative ways around this restriction, often awarding nominal damages of £1 for supposed pecuniary losses in order to be able to award compensation for distress. This practice arguably warped some of the generally accepted methods for compensating pecuniary and non-pecuniary losses in the cases. The restriction for recovering compensation for distress was not removed until the 2015 case of Vidal-Hall v Google , where the Court of Appeal struck down the legislative restriction on the grounds that it was inconsistent with the underlying EU Data Protection Directive. This therefore allowed claimants to claim compensation for distress for breaches of the DPA 1998 without the need to prove pecuniary loss in addition.
Lessons having been learned in this regard: the GDPR is clearly drafted that compensation for distress alone can be claimed.
Secondly, claimants in a number of the cases claimed multiple overlapping causes of action in addition to breaches of the DPA 1998, such as misuse of private information and breach of confidence, and claimed the same loss for each. These alternative clauses of actions often include consideration of different principles for compensation and awards for overlapping causes of action did not always specify the amount for breach of the DPA 1998. An example of this is in the early case of Campbell v Mirror Group Newspapers (2002), in which the trial judge awarded Naomi Campbell the sum of £2,500 for both breach of confidence and breach of section 13 DPA 1998 collectively for publishing a photograph of her attending a Narcotics Anonymous meeting. One therefore needs to be careful when looking at the headline figures awarded.
Compensation for “material damage” under Art. 82 GDPR includes pecuniary losses so, as under the DPA 1998, claimants can claim and recover any pecuniary losses they prove have been incurred as a result of breaches of their personal data.
This might include losses arising from fraudulent transactions and identity theft caused by the data breach. By way of a further example, in the DPA 1998 case of Grinyer v Plymouth Hospitals NHS Trust (2012), the Court awarded the claimant compensation for pecuniary loss of earnings of £4,800, treatment costs of £1,434 and some nominal travel costs, consequent on the exacerbation of the claimant’s serious mental health condition caused by breaches of the DPA 1998.
Pecuniary losses should be simple to quantify using traditional principles of quantification. However, as mentioned above, it is relatively rare for easily identifiable pecuniary losses to be suffered as a result of personal data breaches. This has therefore meant attention has often turned to purely non-pecuniary losses, such as claims for “distress”.
Non-pecuniary losses – compensation for “distress”
As mentioned, section 168 DPA 2018 expressly makes it clear that the right to compensation for “non-material damage” under Art.82 GDPR for breaches of the GDPR includes compensation for “distress”.
So, what kind of awards for distress have been awarded for breaches of the DPA 1998, which might give us an indication of what could be recoverable for personal data breaches under the GDPR?
To some extent, there are still limited published cases giving guidance on quantum. The sums claimed have often been relatively small and so many cases are settled, not progressed to litigation or are decided in the County Courts where judgments are not generally reported. There have been some reported decisions, however:
- In Johnson v MDU (2007), the claimant surgeon claimed the Medical Defence Union had wrongly terminated his membership and professional indemnity cover as a result of unlawful processing under the DPA 1998. The court at first instance quantified the distress claim at £5,000. On appeal, the Court of Appeal criticised this sum as plainly too high for the modest level of distress found, particularly when compared to measures for personal injury, but did not go on to decide a correct sum given the claim failed on other grounds.
- In Halliday v Creation Consumer Finance Ltd (2013), the court awarded compensation of £750 for “distress”. The “distress” caused to the claimant was described as “frustration” related to the defendant finance company’s failures to delete the Claimant’s personal data as previously ordered. This sum of £750 has been oft-cited as appropriate compensation for “low level” distress claims for breaches of the DPA 1998.
- In AB v Ministry of Justice (2014), there had been breaches by the MoJ under the DPA 1998 for failing to properly comply with Subject Access Requests for personal data in relation to the death of the Claimant’s wife and subsequent inquest, for periods of between 17 months and 6 years. The High Court said it did not find the assessment of quantum an easy task and ultimately awarded the Claimant £2,250 for the distress caused.
- In TLT v Secretary of State for the Home Department and Home Office (2016), the Home Office wrongly published the personal details of around 1,600 applicants for asylum or leave to remain. The claimants claimed for misuse of private information and breach of DPA 1998 causing distress. The Court found it appropriate to cross refer to compensation for psychiatric and psychological injury, in circumstances where the claimants were put in shock and fear as a result of the disclosures of their personal data. The Court awarded the claimants awards of between £2,500 to £12,500
- In the recent case of Aven & Othrs v Orbis Business Intelligence Ltd (2020), the defendant intelligent services company were commissioned to provide a report on any links that might exist between Russia and Donald Trump. The claimants complained this report contained inaccurate personal data about them, in breach of the DPA 1998, relating to alleged illicit payments they made to Russian President, Vladimir Putin. The High Court awarded £18,000 to each of the claimants for distress, interestingly taking into account reputational loss (generally only seen in defamation cases). The Court described these awards as “modest” (!), reflecting that each of the claimants was of “robust character, not given to undue self-pity”.
So, what to make of these awards when considering the potential quantum of compensation for distress for personal data breaches under the GDPR?
It can be seen that the higher awards generally followed breaches of data protection directed solely at the complainant (Johnson, AB and Aven) as opposed to more inadvertent breaches affecting multiple individuals like in mass personal data breaches. The higher awards have followed particularly high levels of distress tantamount to psychiatric and psychological injury were caused (see the TLT case), which may not be common for most personal data breaches such as those relating to less sensitive customer information.
One could say that the low level “frustration” justifying an award of £750 in Halliday might be more analogous to the distress that, at most, affected individuals might suffer in the more common mass personal data breaches affecting personal data that is not particularly sensitive nor likely to provide risk of further damage, unless there are other case-specific factors to consider.
Other non-pecuniary losses – compensation for “loss of control”?
This brings us to what could be a watershed moment for mass personal data breach claims: the availability of compensation for “loss of control” of personal data, particularly in the context of opt-out class action-style claims.
Recital 85 of the GDPR says: “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data…”.
This has led to the question of whether an individual’s “loss of control” over their personal data following a personal data breach amounts to non-material damage for which compensation can be claimed.
This is the question that the Supreme Court is due to consider later this month in Lloyd v Google. In this case, Mr Lloyd, former ‘Which’ magazine editor and FCA board member, alleges Google breached the DPA 1998 in respect of its collection, collation and sale “Browser Generated Information” of 4.4million iPhone users without their consent.
Mr Lloyd brings his claim as a “Representative Action” under CPR 19.6 on behalf of the 4.4million affected iPhone users. In short, Representative Actions are “opt-out” group litigation claims, where all the claimants must have the “same interest” and where all persons falling in the represented class form part of the litigation unless they take proactive steps to opt-out.
In an effort to keep within the “same interest” requirement of the CPR 19.6 rules, Mr Lloyd does not seek compensation for any pecuniary losses or distress suffered by any of the 4.4million individuals. Rather, Mr Lloyd only claims compensation for the mere infringement of the individuals’ data protection rights and consequent “loss of control” of the individuals’ personal data.
Mr Lloyd alternatively claims the individuals are entitled to “user damages”. “User damages” or “negotiating damages” is a method for quantifying loss where the loss suffered is measured by reference to the hypothetical sum that would have to have been paid to the data owner for them to have agreed to release that data for use.
In 2018, the High Court refused permission for Mr Lloyd to serve Google out of the jurisdiction in order to get his claim started, on the grounds that; (i) the individuals had not suffered recoverable “damage” under s.13 DPA 1998 – mere “loss of control” did not suffice, and (ii) not all the 4.4million affected individuals shared the necessary “same interest” requirement for a Representative Action.
However, in 2019, the Court of Appeal overturned this decision. The Court held:
- Personal data, and its consent for use, has an economic value. Therefore, loss of control of over such personal data has a value and its loss can amount to “damage”;
- The Court relied heavily on the case of Gulati v MGN, a phone hacking case where compensation was awarded for “loss of control”, without any pecuniary losses or distress claimed in addition, for misuse of private information. The Court of Appeal concluded that both the tort of misuse of private information claimed in Gulati and the right to claim compensation under the DPA 1998 were derived from the same core right to privacy under the European Convention for the Protection of Human Rights and Fundamental Freedoms. As such, it was right to adopt the same approach to “loss of control” amounting to compensable “damage”;
- It was generally accepted that there was a trivial or de minimis threshold to be able to recover compensation for “loss of control” and that threshold would “undoubtedly” not be satisfied if there a claim for compensation for “an accidental one-off data breach that was quickly remedied”;
- The Court declined to consider in addition whether “user damages” were also or alternatively recoverable and said it was best left to full argument at trial, but considered that it was, at least, fairly arguable for the purposes of granting Mr Lloyd permission to serve out of the jurisdiction. The Court flagged, however, the question of whether user damages would be applicable for the personal data in question given it was “non-rivalrous” i.e. the personal data relating to browsing activities could be used or sold many times without necessarily reducing its value.
Google appealed to the Supreme Court, which will hear the case on 28 and 29 April 2021.
Why is the outcome in Lloyd v Google therefore of such importance to mass personal data breach claims?
Mass personal data breach claims have, so far, not taken grip in the UK compared to in USA. This reflects some of the procedural hurdles present here for class action-style claims, such as the “same interest” restriction mentioned above for Representative Actions (see our earlier article here for more on this). The alternative method to Representative Actions for class action-style claims is Group Litigation Orders (“GLOs”) under CPR 19.11. GLOs provide for the collective management of numerous claims that give rise to “common or related issues of fact or law”. Whilst at first blush these seem to suit mass personal data breach claims resulting from the same incident, potential claimants need to “opt-in” to such claims, unlike the “opt-out” nature of Representative Actions. The take up for GLO claims can be low. For example, in Various Claimants v VM Morrisons Supermarkets plc (2020), there were c.100,000 Morrisons’ employees impacted by a rogue employee’s theft of their personal payroll data. However, only 9,263 opted into the claim (which ultimately failed on the grounds that Morrisons were not vicariously liable for its rogue employee). Without sufficient buy in, GLOs for mass personal data breach claims may not be viable.
Representative Actions for compensation for “loss of control” of personal data only, like Lloyd v Google, are accordingly potentially the greater source of concern for defendants and their insurers due to their “opt out” nature. Mr Lloyd does not claim a specific sum per individual in his proceedings, though had claimed £750 per individual pre-action (notably the amount of compensation awarded for distress in the oft-cited Halliday case, above). This would amount to a total award of c.£3 billion for the 4.4million individuals.
However, use of Representative Actions for mass personal data breach claims will inevitably limit the amount of compensation recoverable per individual. As mentioned above, there is no claim for pecuniary loss or distress in Lloyd v Google – if such claims were included, it would have inevitably meant the “same interest” requirement for Representative Actions would not be not satisfied, given such pecuniary losses and distress would differ between each of the 4.4m affected individuals
Further, in order to satisfy the “same interest” requirement to bring an opt-out Representative Action, Mr Lloyd expressly excluded any personal circumstances affecting any individual for the claim for “loss of control” (such as volume of data). The Court commented that this would therefore reduce the compensation to what was described as the “lowest common denominator” common to all individuals and “much less” than if individual circumstances were taken into account.
Therefore, even if Mr Lloyd’s claim is ultimately successful, the award for compensation for individuals in that case, and for claimants in other mass personal data breach claims for “loss of control” only, may be very small and even well below the mooted £750.
However, the Court indicated that such an award “will not be for nothing”. Accordingly, even if only a small amount of compensation is awarded for mere “loss of control”, the total bill could still be very high where mass personal data breaches affect hundreds of thousands, if not millions, of individuals. The time and legal costs of handling such compensation claims in itself could also be high.
The outcome of Lloyd v Google is therefore potentially of extreme importance to the future landscape of compensation claims for personal data breaches in England & Wales. The potential combination of easier opt-out class action-style Representative Actions, enthusiastic litigation funders and the potential for compensation for mere “loss of control” (even where there is no obvious financial loss or distress) is a heady mix which could very shortly lead to a very significant claims farm industry for personal data breach claims in this jurisdiction.