The English Court of Appeal has recently handed down a landmark decision confirming that an individual can recover damages under the UK’s Data Protection Act 1998 (the “Act”) for non-financial losses.
The claim concerned Google’s collection of personal data regarding the claimants’ internet usage. This information consisted of browser-generated information which was collected via cookies, without the claimants’ knowledge or consent. The claimants argued that Google offered their browser-generated information to advertisers, allowing targeted and tailored marketing based on the claimants’ internet browsing activities. The Court had four issues to determine, one of which was the meaning of “damages” under section 13 of the Act and, in particular, whether an individual could claim compensation without suffering financial loss.
Prior to the decision, Section 13(2) of the Act required a claimant to suffer pecuniary loss before they could recover compensation for distress. The claimants argued that the Act had not properly implemented the EU Directive, which should have been transposed into English law. Article 23 of the Act is the applicable provision in the EU Directive, which deals with compensation when a data controller breaches the legislation. The Court held that Article 23 should be given its natural meaning and had to be construed widely in order to support the underlying aims of the legislation. The legislation was originally designed to protect privacy instead of economic rights and the judge on this case conveyed that ” if individuals could not recover compensation for an invasion of their privacy rights merely because they had not suffered pecuniary (financial) loss. The fact that individuals should be able to be compensated for non-financial loss is especially so given that Article 8 of the European Convention of Human Rights does not impose such a restriction and the invasion of privacy can cause emotional damage (but not pecuniary loss). Therefore, the more restrictive interpretation of the word “damage” under section 13(2) of the Act substantially undermined the objective of the EU Directive and so the Court dis-applied that section and, in doing so, allowed the claimants to receive compensation for distress alone, without suffering pecuniary loss.
This landmark case could potentially open the floodgates to data protection litigation because claimants will be able to seek damages for ‘mere’ distress without pecuniary loss. Whilst this decision is wide ranging, this appeal was on preliminary issues and a full trial and possible subsequent appeal may lead to a different outcome. Nevertheless, this emphasizes the importance for businesses to ensure that they comply with the Act in order to minimize the potential for damages claims. Organizations that address their data protection compliance now will also put themselves in a much better position as and when the new European Data Protection Regulation comes into force, which we anticipate will be sometime next year.