One of several issues considered by the Court of Appeal in the case of Google Inc v (1) Judith Vidal-Hall (2) Robert Hann (3) Marc Bradshaw [2015] was the meaning of ‘damage’ under section 13 of the Data Protection Act 1998. The decision has the potential to significantly expand the scope of claims for compensation under the act.
Under the Data Protection Act, where a data controller is in breach, an affected individual can claim damages pursuant to s.13. However, the Data Protection Act distinguishes ‘distress’ from ‘damage’. Anyone who has has suffered ‘damage’ may recover compensation from the data controller under s.13(1). Under s.13(2) (with a few exceptions) an individual who has suffered ‘distress’ may only recover compensation where they also suffered ‘damage’. Therefore, in the vast majority of cases, in order to recover compensation, a victim must show financial loss.
Previously, in Johnson v Medical Defence Union [2007], the High Court rejected the argument that the inability to recover compensation for non-financial losses under the Data Protection Act was inconsistent with the European data protection regime (through which the act was implemented). Under the European Directive, a person who has ‘suffered damage’ is able to obtain compensation. The court in Johnson found that the term ‘damage’ under the European Directive did not extend beyond financial loss.
However, in Google v Vidal, the court considered that the aim of the European regime was to protect individuals’ right to privacy and that the natural meaning of ‘damage’ ought to cover both financial and non-financial varieties. The court, therefore, entirely disapplied s.13(2) to make the Data Protection Act compatible with the European Directive.
This disapplication of s.13(2) and the widening of the interpretation of ‘damage’ opens the door for the first time for ‘distress-only’ compensation claims, which could lead to a significant increase in claims under the act. It is unclear how the courts will approach these claims (and Google has sought permission to appeal the decision at the Supreme Court). However, it is a reminder to data controllers of the importance of ensuring that appropriate measures are in place to prevent breaches of the DPA and to deal effectively with challenges as and when they arise, in order to avoid costly court proceedings or sanctions by the Information Commissioner.
If you would like to discuss any issues raised in this article please contact our Commercial Litigation team.