The Court of Appeal decision in Google Inc v Judith Vidal-Hall and others  EWCA Civ 311 issued earlier this year substantially expanded the potential liability for persons, businesses and other entities who breach the Data Protection Act 1998 (the Act). While breaches of the Act have always been potentially subject to fines imposed by the Information Commissioner, claims by aggrieved members of the public have generally not been a major issue due to the decision in Johnson v Medical Defences Union which held that for damages to be claimed under the Act a person had to show actual pecuniary loss. In most cases that would generally be difficult to do, so the threat of claims by aggrieved individuals over minor breaches of the Act (as opposed to fines imposed by the Information Commissioner) had generally not been a significant concern.
That position has been turned on its head by the decision in Google. The Court of Appeal held that it was no longer necessary for a claimant to show pecuniary loss and that damage suffered could include mere distress. Evidentially all that really requires is for the claimant to state they did indeed suffer such distress. It would be difficult for any defendant to refute.
The decision led to a fear that minor breaches of the Act, no matter how innocuous, could potentially lead to a raft of individual claims. Given an individual can issue a County Court claim at minor cost, and represent themselves, there is little to be lost by them ‘trying on’ a claim alleging distress. If such claims are for reasonably small sums, say in the hundreds of pounds, then the defendant business/organisation would be faced with the unenviable decision of either having to defend each such claim, or simply offer to settle each one to make them go away.
Given the costs of defending a claim could run into thousands of pounds (if lawyers are involved), not to mention substantial management downtime, even where the claim has little or no merit, there is a major incentive for an organisation to cut their losses and make the claim go away in the least costly way possible. That generally is going to mean a pay-out, even if each payment itself is only for a modest sum. Where a data breach results in multiple potential claimants then the situation facing the defendant becomes even more acute.
Our experience since the Google decision is that potential claimants are becoming much more savvy regarding the economics of making a data protection claim, particularly through the exchange of experiences and encouragement via social media. Hence when one claim eventuates, it often doesn't take long for more to follow.
While it can be argued that any impetus the Google case gives to businesses (and others) to ensure compliance with the provisions of the Act is a good thing, the reality is that data breaches can occur for a variety of reasons, including the illegal actions of others. In such a situation an otherwise ‘innocent’ breach could potentially result in a flood of claims, based on alleged mental distress suffered, the costs of which either fighting or settling could be seriously damaging to a business. If a major data breach occurred affecting thousands of persons, the financial cost could be considerable, and potentially catastrophic to the business/entity concerned. Certainly vastly more than what was likely to have been the case before Google.
So what can businesses do? Minimising the data protection risks is clearly the first step. Where breaches occur and claims start to follow, speed of settlement, and settlement terms that prevent or discourage information sharing by claimants are also key. Where appropriate it may be advisable to actually contest claims, but the merits of doing so will vary considerably depending on the circumstances of the case, and the numbers and quantum of claims being made.
The content of this article is for general information only. To discuss data protection matters further please contact Quentin Golder or a member of Birketts’ intellectual property and technology team. Law covered as at September 2015.