Over the past few years, the Information Commissioner has made significant use of its powers to levy fines on businesses and other organisations. However, the Information Commissioner has no powers to grant compensation to the individuals affected.
The Data Protection Act (DPA) has always provided a route for individuals to seek compensation for damages that they suffer as a result of a breach of the DPA. However, there have been relatively few claims brought. This is largely because it is relatively rare that individuals can point to any firm financial losses that they have suffered as a result of the breach. The DPA restricts the ability to claim compensation for distress caused by a breach, unless it is also possible to establish a financial loss.
However, the Court of Appeal has now determined that this restriction in the DPA fails to comply with EU law and as such, has effectively removed the hurdle and allowed individuals to claim compensation for distress caused by a breach of the DPA, even where there is no financial loss.
Many breaches of the DPA, such as loss of credit card details or tracking of internet browsing, for example, affect many thousands of individuals. To date, it has been difficult to bring a claim on behalf of these individuals, as there is rarely any financial loss (credit card companies will refund individuals for fraudulent activity). However, this change to the interpretation of the law opens up the possibility of these affected individuals claiming compensation for the distress caused by the misuse of their personal data.
Individually, such claims are unlikely to be significant, perhaps £500 to £1,000 but multiplied across many thousands of affected individuals, the impact for business could be substantial. There would at least be a certain irony if in the future we see claims companies seeking to entice us all to recover losses that we have suffered from data protection breaches!
Although we understand that Google, the defendant in this case, is seeking to appeal this decision to the Supreme Court, there are, in any event, plans for a new European law on data protection, which will further strengthen individuals’ rights and substantially increase potential fines for breaches.
Although most businesses are now aware of the importance of protecting personal data, compliance is rarely high on the agenda and there continue to be many breaches of the law. Very often, breaches are a result of businesses failing to sufficiently raise awareness of data protection obligations within their business.
For more information on data protection compliance, please contact firstname.lastname@example.org.