Data Breach Claims
The use of data harvesting (legal or otherwise) has been a part of our life in recent years with the advent purchase of goods and services online and social media interactions such as Twitter and Facebook. The personal data held on you can be vast. All companies have a duty not to misuse your personal data and to keep it secure.
Any breach or misuse of your personal data may cause you harm and distress, giving a rise to data protection breach compensation against the company at fault for distress even though no financial loss has been suffered. It can be enough to show that the company that has misused or lost your data to a third party due to cyber crime/hacking may have to pay you compensation for the distress caused.
This guide will cover everything you need to know about data breach claims.
Contact Us Now To ClaimCompensation for Distress — Common Personal Data — Data Protection Act — ECHR
GDPR — What is Personal Data? — Selling Your Data — Recent Breach Examples
Making a Claim — Court Case Examples — Data Protection in the News
Compensation for Distress of Data Breach
A data protection breach compensation claim can be made following the critical decision of Vidal-Hall and others v Google Inc where the Court of Appeal in London (UK) held that a claim for distress suffered by the privacy breach could result in damages even though there was no financial loss (see below for more details).
However, pre-GDPR, the compensation awards were relatively low at around £750. But in the celebrity breach of privacy claims for ‘phone hacks’, Gulati & Ors v MGN Limited confirmed damages of over £250,000. However, in more recent cases involving the misuse of personal data, TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) saw compensation amounts between £2,500 to £12,500.
Remember that while no financial loss was suffered, it is a data protection breach compensation payout for the distress caused.
- Can you do something about the loss and misuse of your personal data?
- Can you claim compensation for data protection breaches?
- Can I claim even if I have not suffered any financial loss?
The answer is yes to the questions providing the data can be said to identify you and has caused you distress or loss. However, you must be aware:
- You can make a data breach claim providing the loss of data or breach can identify you. It does not have to be by your name or address as such. Each violation will be taken on its facts.
- The distress must be more than minimal. There must be a fundamental cause of concern about the loss or breach.
- If there is a loss of credit card information and the account is in joint names, even though the primary cardholder may claim, the joint cardholder may also claim as they can also be identified.
Case | Data Breach | Compensation Payout |
Campbell v MGN Ltd [2004] UKHL 22 | Publication of articles/photographs disclosing private information | £2,500 plus aggravated damages of £1,000 |
Archer v Williams [2003] EWHC 1670 (QB) | Disclosure of medical information | £2,500 |
Applause Store Productions Limited v Raphael [2008] EWHC 1781 | False defamatory profile and group on Facebook | £2,000 plus award for libel totalling £20,000 |
Weller v Associated Newspapers Ltd [2014] EWHC 1163 (QB) | Publication of photographs without consent | £10,000 |
Mosley v News Group Newspapers Ltd [2008] EWHC 1777 | Publication of private information relating to sexual practices | £60,000 |
Cooper v Turrell [2011] EWHC 3269 (QB) | Misuse of private information, | Claimant 1 £30,000 Claimant 2: £50,000 |
AAA v Associated newspapers Ltd [2012] EWHC 2103 (QB) | Publication of photographs | £15,000 |
Gulati and others v MGN Ltd [2015] EWHC 1482 (Ch) | Phone hacking | £72,500 – £260,250 |
AAA v Associated newspapers Ltd [2012] EWHC 2103 (QB) | Publication of photographs | £15,000 |
Wooley & Wooley v Nahid Akbar Or Akram [2017] SC Edin 7 | CCTV surveillance carried out by a neighbour | £17,268 |
TLT and others v Secretary of State for the Home Department and Home Office [2016] EWHC (QB) | Publication of confidential personal information of around 1,600 applicants for asylum or leave to remain | £2,500 – £12,500 |
Common Personal Data Held On You
- your name
- your address
- your date of birth
- your email address
- your telephone numbers
- your credit card details
- your bank details
- your password(s)
- and much, much more!
Cybercrime now plays a high risk to individuals where data about you has been stored electronically. With criminal hacking, breaches and access to unauthorised data, the whole subject of data protection breaches should now be a priority to organisations who hold information about you.
The whole problem has come to light in the following data breaches:
- Easyjet Data Breach Compensation Claims
- Morrisons Supermarket Personal Breach of Data
- British Airways Breach of Personal Data
- Dixons Carphone Admits Huge Data Breach
- Ancestry.com Data Leak
- Yahoo Data Protection Hack
- Vodaphone Data Breach
- Butlins Data Hack
- and many more…
The Data Protection Act
The Data Protection Act 1998 has been replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The latest guidance on data protection law can be found on the ICO website: Guide to the GDPR.
In May 2018, you may have noticed that you received a lot of emails from companies talking about ‘GDPR’. You probably ignored these emails or marked them as junk because no one likes to receive spam. But GDPR is more than no longer receiving updates from Tesco about upcoming offers, it is supposed to protect your personal data from being misused.
The European Union General Data Protection Regulations (GDPR) became law in this country in 2018 and has been supported by a new Data Protection Act. Under this law, every person throughout the European Union has the right to challenge companies or institutions that are misusing their personal data. You have a fundamental right to have your data protected, and no one can take that away from you.
The law does not apply to individuals who may be misusing your data but to companies and institutions using your data in professional or business activities. So the regulation won’t stop your Mum from ‘accidentally’ posting the address of your new house on Facebook, but will stop companies like John Lewis from selling your address to advertisers without your permission.
European Convention on Human Rights
Data protection breach compensation for data misuse is also interrelated with your right to privacy under Article 8 of the European Convention on Human Rights (ECHR). A critical case was that of JUITH VIDAL-HALL (2) ROBERT HANN (3) MARC BRADSHAW v GOOGLE [2014].
This case involves individuals who sued Google’s use of Apple’s web browser, Safari. The complaint was based on the distress suffered from learning that their ‘personal characteristics’ formed the basis for Google’s targeted advertisements or that such matters might have come from the knowledge of third parties who had used or seen their devices. The data breach claims were exclusively for distress and anxiety but no financial damage. It was alleged that their personal information was not respected even though the claimants had set their privacy settings in the browser to block third-party cookies.
This case confirmed and set the tone that such a breach could amount to a claim in the UK for the distress of the misuse of data and violation of privacy. That data breach compensation can be made even though no actual financial loss occurred.
Contact Us Now To ClaimGDPR
Article 82 states, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
As this provision allows compensation to be recovered from data processors and controllers, it is more comprehensive than section 13 DPA.
A data controller or processor will be exempt from liability for a compensation claim under the GDPR if it proves that it is “not in any way responsible” for the event giving rise to the damage. GDPR allows for multi-party data breach compensation claims.
The Local Court (Amtsgericht) Diez (in a final decision dated 7 November 18, case number 8 C 130/18) was the first German court (and first court EU-wide) to decide on a claim for immaterial damages under Art 82 GDPR. The plaintiff had received an email from the defendant requesting his consent to an email newsletter. In Germany, this is considered spam and also a GDPR violation. The plaintiff claimed compensation of 500 euros. The action was dismissed because the plaintiff had already received an ex gratia payment of 50 euros, and compensation beyond this amount was no longer reasonable.
What Is My Personal Data?
According to the GDPR, personal data means:
“any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Put simply, your personal data is any data that can be used to identify you as an individual. This includes your name, address, telephone number, email address, bank details, or national insurance number. It doesn’t have to be all of them, just one can be enough.
For example, an online company selling information about you that you have brown hair is allowed: that information cannot identify you personally, as lots of people also have brown hair. However, suppose the company sells the information that you have brown hair and live at 98 Rose Lane, Liverpool. In that case, you could potentially be identified, which could be a breach of the data protection laws that protect your identity and privacy.
Contact Us Now To ClaimSelling Your Data
Selling your personal data was commonplace. When you purchased goods or services online, the terms and conditions had a pre-tick or automatically opt-in consent to sell or send your data to other partners or third parties at their discretion. This included your phone number, much to an annoyance of ‘cold calls’ for mis-sold PPI and road traffic accident claims. However, as you had consented to sell your data, it is deemed not a cold call, so there was no misuse of your data.
Following the GDPR, companies are getting smarter and appear to have stopped selling data without obtaining permission. However, under this law, companies still have a duty to protect the information they hold about you. This means that they must do everything possible to stop other people from taking your data by hacking their system.
Examples of Recent Data Breaches
Unfortunately, in the modern world, data breaches are all around us and take place every day. Even the world’s most giant corporations are susceptible to data protection breaches. You only have to use a website like Have I Been Pwned to see that you are the potential victim of a breach that you didn’t even realise had happened. At the time of writing, the website reports that a whopping 11.9 billion accounts have been comprised, which only scratches the surface. Some of the most significant data protection breaches in the 21st century have affected customers of firms such as Yahoo, LinkedIn, Sony, Facebook, MySpace, and Adobe.
Data breaches are arguably getting worse, not better. More people are using the web, and attackers are becoming smarter at breaking down security barriers. Below are some examples of high-profile data breaches that have occurred in recent years.
- LinkedIn, 2021: In June 2021, hackers obtained the data of 700 million LinkedIn users, including email addresses, phone numbers and geolocation records. The data was put up for sale on the Dark Web. It’s believed that hackers scraped the data by exploiting the platform’s API. While LinkedIn argued the breach didn’t include personal information, there was enough data to leave people vulnerable to cyberattacks.
- Facebook, 2019: Facebook is one of the largest social media networks, and it has come under heavy fire in recent years for privacy concerns. In April 2019, the data of 533 million people from 106 countries was leaked before being uploaded to a hacking forum in 2021. The breach reportedly included telephone numbers and birth dates.
- Marriott, 2018: Marriott is one of the world’s largest hotel chains with over 8,000 hotels in 131 countries, meaning it handles the personal data of millions of customers. Therefore, the 2018 data breach was a significant event. Around 500 million records were compromised, containing sensitive information like credit card details and passport numbers.
- Samsung, 2022: One of the most recent examples of a data breach involves the multinational giant Samsung. The company announced in September 2022 that it had identified a breach by an unauthorized third party in July. The breach affected Samsung Electronics America, with names and contact information stolen.
- LastPass, 2022: LastPass is one of the most popular password management services, providing an efficient way to manage login data. The problem with this type of service, of course, is it contains valuable data for many accounts. In August 2022, LastPass endured a data breach when a hacker compromised a developer account. Thankfully, no passwords are believed to have been stolen, but the platform’s source code was compromised.
What Can I Do About Making a Claim for Distress?
If an organisation whose data has been breached results in a data breach and loses your personal data, you may be able to claim data breach compensation for distress (even though you have not personally suffered any financial loss) in addition to claiming back any other consequential losses.
Contact us to see how our experienced team of solicitors can help. We specialise in data protection breaches and loss for compensation.
Contact Us Now To ClaimExamples of Privacy Breach Court Cases
Using your personal data without consent or knowledge can give rise to distress, embarrassment and violation. No specific financial loss has to be claimed to sound in damages. Breach of data misuse is more common and below are some examples of cases that have proceeded to court.
Campbell v MGN Ltd [2004] UKHL 22: A newspaper published photographs of Naomi Campbell coming out of a Narcotics Anonymous meeting. She sought compensation for breach of confidentiality and compensation under DPA s.13. She was awarded £2,500 (and aggravated damages of £1,000) for distress and injury to feelings caused by articles/photographs.
Archer v Williams [2003] EWHC 1670 (QB): The defendant had been employed by the claimant as a personal assistant and had disclosed private information, including medical information, to third parties when her employment contract was terminated. Newspapers subsequently published articles, and the claimant received £2,500 for the publication of medical information.
Applause Store Productions Limited v Raphael [2008] EWHC 1781: A false defamatory Facebook profile containing private information and a linked group was set up by the defendant. The claimants, Mathew Firsht and his company, Applause Store Productions Ltd, sought compensation for defamation and misuse of private information. The award for libel was £15,000 (and £5,000 for his company); the award to compensate for hurt feelings and distress was £2,000.
Data Protection and Article 8 – Right to Privacy
Weller v Associated Newspapers Ltd [2014] EWHC 1163 (QB): An online newspaper had published, without consent, photographs of a well-known singer’s three children which had been taken when they were enjoying a family day out. The claimant sought compensation for misuse of private information and breach of DPA. Dylan, the eldest child, was awarded £5,000, while the twins, John Paul and Bowie, were each awarded £2,500.
The children’s right to privacy under ECHR Article 8 outweighed the publisher’s right to freedom of expression
The starting point for determining whether there had been a misuse of private information was the two-stage test:
(1) Does the person have a reasonable expectation of privacy?
(2) Balance Article 8 right against the publisher’s Article 10 right to freedom of expression
Article 8 shows that private information is to be protected “as an aspect of human autonomy and dignity”, see Lord Hoffman in Campbell v MGN at [50] (NB while the cause of action for misuse of private information accommodates both arts 8 and 10, the claim is for abuse of personal data and not a direct claim for infringement of human rights).
It is notable that while Dylan suffered embarrassment, the twins, John Paul and Bowie, will not have sustained any immediate embarrassment from the publication.
More recently, courts have shown an inclination to award greater data breach compensation awards:
In Mosley v News Group Newspapers Ltd [2008] EWHC 1777 (QB), the judge acknowledged that “it has to be accepted that an infringement of privacy cannot ever be effectively compensated by a monetary award […] the only realistic course is to select a figure which marks the fact that an unlawful intrusion has taken place while affording some degree of solatium to the injured party.” In that case, the claimant was awarded £60,000 after a newspaper published an article revealing the claimant’s involvement in sadomasochistic activities.
Cooper v Turrell [2011] EWHC 3269 (QB): Discussions between the company’s board members had secretly been recorded by the defendant, who then used that information to fuel an internet-based campaign involving libel, breach of confidence and misuse of private information. The defendant had made accusations of dishonesty and criminal conduct and made damaging statements about one of the claimant’s fitness to work. The company was awarded £30,000 for the libel and £10,000 for the breach of confidence. The second claimant, an individual, was awarded £50,000 for the defamation and £30,000 for misusing his private information. Compensation owed to the individual for the misuse of personal information was reduced to account for the compensation owed in respect of libel. Still, the judge stated that had the misuse of private information been the sole award, it would have been in the sum of £40,000.
AAA v Associated Newspapers Ltd [2012] EWHC 2103 (QB): A covertly taken photograph was published on three separate occasions, and the claimant child claimed compensation for breach of privacy. Compensation awarded was £15,000 for publication on three different occasions.
Post-Vidal-Hall
Before 2015, compensation could only be awarded under the Data Protection Act if the claimant could show they had suffered a pecuniary loss. However, this changed following the decision in Vidal-Hall v Google [2015] 3 WLR 409. Consequently, distress alone can be enough for data breach claims.
Gulati and others v MGN Ltd [2015] EWHC 1482 (Ch): In this phone hacking case, the claimants, who were various persons in the public eye, had suffered infringements of privacy rights after their voicemails had been hacked regularly over long periods of time. Consequently, significant parts of their private lives were exposed and reported on. The court held that they were entitled to substantial compensation, not limited to damages for distress and injury to feelings – damages should also compensate for the loss or diminution of a right to control private information. Compensation awarded ranged from £72,500 to £260,250. In determining the amount of compensation owed, the judge took account of various factors, including the subject matter of the disclosure, for example, medical information and private financial affairs may attract higher figures, while information about an individual’s whereabouts to obtain a photograph will attract lower compensation. In addition, the significance of the information and its effect on the individual will be relevant; thus, the extent of the damage may be claimant specific. Finally, the judge acknowledged that the impact of repeated intrusions could be cumulative.
Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police [2016]: in preparing a disciplinary case against Ms Brown, who had travelled abroad without notifying her line manager, an MPS officer obtained information from the National Border Targeting Centre as to her travel itinerary and other personal information. The county court awarded Ms Brown £9,000 in compensation for privacy and data protection law breaches. The settlement for misuse of private information added to the size of the total award as it also encompasses hurt feelings and loss of dignity and control over one’s personal information.
Wooley & Wooley v Nahid Akbar Or Akram [2017] SC Edin 7 (Scottish case): In this Scottish case, a couple sought compensation after they were subjected to round-the-clock CCTV surveillance carried out by a neighbour over several years. This was a breach of DPA, and the couple was awarded £8,634 each.
Vicarious Liability?
WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339: A disgruntled former employee of Morrisons, Andrew Skelton, had leaked payroll data. In 2015 he was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data and was consequently jailed for eight years. Following this, 5,518 Morrisons’ employees sought compensation for the unauthorised uploading of personal data to a file-sharing website. The court held that Morrisons could be held vicariously liable for the actions of their former employee.
Contact Us Now To ClaimData Protection in the News
- Bounty UK: The Information Commissioner’s Office has issued a fine of £400,000 to pregnancy and parenting club Bounty UK for illegally sharing the personal data of more than 14 million people with third parties for electronic direct marketing – https://ico.org.uk/media/action-weve-taken/mpns/2614757/bounty-mpn-20190412.pdf
- Third-Party Facebook Apps: https://www.upguard.com/breaches/facebook-user-data-leak
- Kent Police: Kent Police were fined £80,000 after it handed data on a phone belonging to an alleged domestic abuse victim to her partner’s solicitor – https://www.bbc.co.uk/news/uk-england-kent-36101713
Further reading on PTSD following claims of sexual abuse, and abuse generally see:
Mohammed Al Fayed, sexual abuse claim against Harrods and Fulham Football Club