The use of data harvesting (legal or otherwise) has been a part of our life in recent years with the advent purchase of goods and services online and social media interaction such as Twitter and Facebook. The personal data held on you can be vast. All companies have a duty not to misuse your personal data and to keep it secure.
Any breach or misuse of your personal data may cause you harm and distress giving a rise to compensation against the company at fault for distress even though no financial loss has been suffered. It can be enough to show that the company who has mis-used or lost your data to a third party due to cyber crime/hacking may have to pay you compensation for the distress caused.
Compensation for Distress of Data Breach
A claim for compensation can be made following the important decision of Vidal-Hall and others v Google Inc; where the Court of Appeal in London (UK) held that a claim for distress suffered by the privacy breach can sound in damages even though there was no financial loss (see below for more details).
However pre-GDPR the compensation awards were quite low from about £750. But in the celebrity breach of privacy claims for 'phone hacks' etc Gulati & Ors v MGN Limited confirmed damages over £250,000. However in more recent cases involving the misuse of personal data TLT v Secretary of State for the Home Department  EWHC 2217 (QB) compensation amounts between £2,500 to £12,500. Please remember no financial loss was suffered, it was a compensation award for distress caused.
|Campbell v MGN Ltd  UKHL 22||Publication of articles/photographs disclosing private information||£2,500 plus aggravated damages of £1,000|
|Archer v Williams  EWHC 1670 (QB)||Disclosure of medical information||£2,500|
|Applause Store Productions Limited v Raphael  EWHC 1781||False defamatory profile and group on Facebook||£2,000 plus award for libel totalling £20,000|
|Weller v Associated Newspapers Ltd  EWHC 1163 (QB)||Publication of photographs without consent||£10,000|
|Mosley v News Group Newspapers Ltd  EWHC 1777||Publication of private information relating to sexual practices||£60,000|
|Cooper v Turrell  EWHC 3269 (QB)||Misuse of private information,||Claimant 1 £30,000 Claimant 2: £50,000|
|AAA v Associated newspapers Ltd  EWHC 2103 (QB)||Publication of photographs||£15,000|
|Gulati and others v MGN Ltd  EWHC 1482 (Ch)||Phone hacking||£72,500 - £260,250|
|AAA v Associated newspapers Ltd  EWHC 2103 (QB)||Publication of photographs||£15,000|
|Wooley & Wooley v Nahid Akbar Or Akram  SC Edin 7||CCTV surveillance carried out by a neighbour||£17,268|
|TLT and others v Secretary of State for the Home Department and Home Office  EWHC (QB)||Publication of confidential personal information of around 1,600 applicants for asylum or leave to remain||£2,500 - £12,500|
Commons Personal Data Held On You
- your name
- your address
- your date of birth
- your email address
- your telephone numbers
- your credit card details
- your bank details
- your password(s)
- and much much more!
Cyber crime now plays a high risk to individuals where data about you has been stored electronically. With criminal hacking, breaches and access to unauthorised data, the whole subject of data protection breaches should now be a priority to organisations who hold information about you.
The whole problem has come to light in the following data breaches:
- Morrisons Supermarket - personal breach of data - payroll by disgruntled employee
- British Airways Breach of Personal Data
- Dixons Carphone Admits Huge Data Breach
- UK Home Office data breach
- Ancestry.com data leak
- Yahoo data protection hack
- Vodaphone data breach
- Butlins data hack - stolen details (‘34,000 guest records may have been accessed by hackers’);
- Ticketmaster - recent data security incident.
- Greenwich University (serious breach - fined by the Information Commissioner's Office)
- and many more...
The Data Protection Act - The Law UK
The Data Protection Act 1998 has been replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The latest guidance on data protection law, can be found on the ICO webiste: Guide to the GDPR.
In May 2018, you may have noticed that you received a lot of emails from companies talking about something called ‘GDPR’. You probably ignored these emails, or marked them as junk, because no one likes to receive spam. But GDPR is about more than no longer receiving updates from Tesco about upcoming offers, it is supposed to protect your personal data from being misused.
The ‘European Union General Data Protection Regulations’ (GDPR) became law in this country in 2018 and has been supported by a new Data Protection Act. Under this law, every person throughout the European Union has the right to challenge companies or institutions that are misusing their personal data; you have a fundamental right to have your data protected, and no one can take that away from you.
The law does not apply to individuals who may be misusing your data, but companies and institutions that are using your data in professional or business activities. So the regulation won’t stop your Mum from ‘accidentally’ posting the address of your new house on Facebook, but will stop companies like John Lewis from selling your address to advertisers without your permission.
European Convention on Human Rights - Right to Privacy
Compensation has for data misuse is also inter-related with your right to privacy under Article 8 of the European Convention on Human Rights (ECHR) (right to a private and family life).
A important case was that of JUITH VIDAL-HALL (2) ROBERT HANN (3) MARC BRADSHAW v GOOGLE .
This is a case with the individuals who sued Google used Apple's web browser, Safari. The claimants complaint was based on the distress suffered from learning that their 'personal characteristics' formed the basis for Google's targeted advertisements, or from having learnt that such matters might have come to the knowledge of third parties who had used or seen their devices. The claims were exclusively for distress and anxiety, but no financial damage. It was alleged that their personal information was not respected despite the fact that the claimants had set their privacy settings in the browser to block third party cookies.
This case confirmed and set the tone that such a breach could amount to a claim in the UK for distress of the mis-use of data/breach of privacy. That compensation can be made even though no actual financial loss occurred.
What Is My Personal Data?
According to the GDPR, personal data means:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Put simply, your personal data is any data that can be used to identify you as an individual. This is information such as your name, address, telephone number, email address, bank details, or national insurance number. It doesn’t have to be all of them, just one can be enough.
For example, an online company selling information about you, that you have brown hair is allowed: that information cannot identify you personally, as lots of people also have brown hair. However, if the company sells the information that you have brown hair and live at 98 Rose Lane, Liverpool, then you could potentially be identified, and this could be a breach of the data protection laws that are there to protect your identity and privacy.
Selling Your Data
Selling your personal data was common place. When you purchased goods or services online, the terms and conditions had a pre-tick or automatically opt in consent to sell/send your data to other 'partners' or 'third parties' at their discretion. This included your phone number much to an annoyance of 'cold calls' for mis-sold PPI and road traffic accident claims. However, as you had consented to the selling of your data, it is deemed not to be a cold call so there was no mis-use of your data.
Following the GDPR, companies are getting smarter, and appear to have stopped selling data without first getting permission to do so. However, under this law, companies still have a duty to protect the information that they hold about you. This means that they must do everything possible to stop other people from taking your data by hacking their system.
Compensation for Distress and Loss Following Breach
- Can you do something about the loss and possible misuse of your personal data?
- Can you claim compensation for data protection breaches?
- Can I claim if I have not suffered any financial loss?
The answer is yes to the questions providing the data can be said to identify you and has indeed caused you distress and or loss. However you must be aware:
- You can claim providing the loss of data or breach can identify you. It does not have to be by your name or address as such. Each breach will be taken on its facts.
- The distress must be more than minimal. There must be a real cause of concern about the loss or breach.
- If there is a loss of credit card details for example, if the card is in joint names, despite the fact that the main card holder may claim, the joint card holder may also claim as they can also be identified.
What Can I Do About Making A Claim For Distress?
If an organisation whose data has been breached resulting in a data breach and loss your personal data, you may be able to claim compensation for distress (even though you have not personally suffered any financial loss) in addition to claiming back any other consequential losses.
Contact us to see how our experienced team of solicitors can help. We specialise in data protection breaches and loss for compensation.
Compensation: Data Protection Breach, Distress, Privacy
The use of your personal data without consent or knowledge can give rise to distress, embarrassment and violation. No specific financial loss has to be claimed to sound in damages. Breach of data misuse is more common and below are some examples of cases that have proceeded to court.
Campbell v MGN Ltd  UKHL 22: A newspaper published photographs of Naomi Campbell coming out of a Narcotics Anonymous meeting. She sought compensation for breach of confidentiality and compensation under DPA s.13. She was awarded £2,500 (and aggravated damages of £1,000) for distress and injury to feelings caused by articles/photographs.
Archer v Williams  EWHC 1670 (QB): The defendant had been employed by the claimant as a personal assistant and had disclosed private information, including medical information, to third parties when her employment contract was terminated. Newspapers had subsequently published articles and the claimant received £2,500 for the publication of medical information.
Applause Store Productions Limited v Raphael  EWHC 1781: A false defamatory Facebook profile containing private information and a linked group were set up by the defendant. The claimants, Mathew Firsht and his company, Applause Store Productions Ltd, sought compensation for defamation and misuse of private information. Award for libel was £15,000 (and £5,000 for his company); award to compensate for hurt feelings and distress was £2,000.
Data Protection and Art 8 right to privacy
Weller v Associated Newspapers Ltd  EWHC 1163 (QB): An online newspaper had published, without consent, photographs of a well-known singer’s three children which had been taken when they were enjoying a family day out. The claimant sought compensation for misuse of private information and breach of DPA. Dylan, the eldest child, was awarded £5,000, while the twins, John Paul and Bowie, were each awarded £2,500.
The children’s right to privacy under ECHR art 8 outweighed the publisher’s right to freedom of expression
The starting point for determining whether there had been a misuse of private information was the two-stage test:
(1) Does the person have a reasonable expectation of privacy?
(2) Balance art 8 right against publisher’s art 10 right to freedom of expression
Article 8 shows that private information is to be protected “as an aspect of human autonomy and dignity”, see Lord Hoffman in Campbell v MGN at  (NB while cause of action for misuse of private information accommodates both arts 8 and 10, the claim is for misuse of private information and not a direct claim for infringement of human rights)
It is notable that while Dylan suffered embarrassment, the twins, John Paul and Bowie, will not have suffered any immediate embarrassment from the publication.
More recently courts have shown an inclination to award greater compensation awards:
In Mosley v News Group Newspapers Ltd  EWHC 1777 (QB), the judge acknowledged that “it has to be accepted that an infringement of privacy cannot ever be effectively compensated by a monetary award […] the only realistic course is to select a figure which marks the fact that an unlawful intrusion has taken place while affording some degree of solatium to the injured party.” In that case the claimant was awarded £60,000 after a newspaper published an article revealing the claimant’s involvement in sado-masochistic activities.
Cooper v Turrell  EWHC 3269 (QB): Discussions between the company’s board members had secretly been recorded by the defendant who then used that information to fuel an internet-based campaign involving libel, breach of confidence and misuse of private information. The defendant had made accusations of dishonesty and criminal conduct as well as making damaging statements as to one of the claimant’s fitness to work. The company was awarded £30,000 for the libel and £10,000 for the breach of confidence. The second claimant, an individual, was awarded £50,000 for the libel and £30,000 for the misuse of his private information. Compensation owed to the individual for the misuse of private information was reduced to account for the compensation owed in respect of libel, but the judge stated that had the misuse of private information been the sole award it would have been in the sum of £40,000.
AAA v Associated Newspapers Ltd  EWHC 2103 (QB): A covertly taken photograph was published on three separate occasions and the claimant child claimed compensation for breach of privacy. Compensation awarded was £15,000 for publication on three separate occasions.
Prior to 2015, compensation could only be awarded under the DPA if the claimant could show they had suffered pecuniary loss. However, this changed following the decision in Vidal-Hall v Google  3 WLR 409; consequently distress alone can be enough to claim compensation for a data breach.
Gulati and others v MGN Ltd  EWHC 1482 (Ch): In this phone hacking case the claimants, who were various persons in the public eye, had suffered infringements of privacy rights after their voicemails had been hacked regularly over long periods of time. As a consequence very significant parts of their private lives were exposed and reported on. The court held that they were entitled to significant compensation not limited to damages for distress and injury to feelings – damages should also compensate for the loss or diminution of a right to control private information. Compensation awarded ranged from £72,500 to £260,250. In determining the amount of compensation owed, the judge took account of various factors including the subject matter of the disclosure, for example medical information and private financial affairs may attract higher figures while information as to an individual’s whereabouts in order to obtain a photograph will attract lower compensation. In addition, the significance of the information and its effect on the individual themselves will be relevant; thus, the extent of the damage may be claimant specific. Finally, the judge acknowledged that the effect of repeated intrusions can be cumulative.
Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police  : in preparing a disciplinary case against Ms Brown who had travelled abroad without notifying her line manager, an MPS officer obtained information from the National Border Targeting Centre as to her travel itinerary and other personal information. The county court awarded Ms Brown £9,000 in compensation for privacy and data protection law breaches. The compensation in relation to misuse of private information added to the size of the total award as it also encompasses hurt feelings and loss of dignity and control over one’s private information.
Wooley & Wooley v Nahid Akbar Or Akram  SC Edin 7 (Scottish case): In this Scottish case, a couple sought compensation after they were subjected to round-the-clock CCTV surveillance carried out by a neighbour over a number of years. This was a breach of DPA and the couple were awarded £8,634 each.
WM Morrison Supermarkets Plc v Various Claimants  EWCA Civ 2339: A disgruntled former employee of Morrisons, Andrew Skelton, had leaked payroll data. In 2015 he was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data and was consequently jailed for 8 years. Following this, 5,518 Morrisons’ employees sought compensation for unauthorised uploading of personal data to a file-sharing website. The court held that Morrisons could be held vicariously liable for the actions of their former employee.
Article 82 provides that “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”
As this provision allows compensation to be recovered from both data processors and controllers it is wider than section 13 DPA.
A data controller or processor will be exempt from liability for a compensation claim under the GDPR if it proves that it is “not in any way responsible” for the event giving rise to the damage
GDPR allows for multi-party compensation claims.
The Local Court (Amtsgericht) Diez (in a final decision dated 7 November 18, case number 8 C 130/18) was the first German court (and first court EU-wide) to decide on a claim for immaterial damages under Art 82 GDPR
The plaintiff had received an email from the defendant requesting his consent to an email newsletter. In Germany, this is considered spam and also a GDPR violation. Plaintiff claimed compensation to the amount of 500 euros. The action was dismissed because the plaintiff had already received an ex gratia payment of 50 euros and compensation beyond this amount was no longer reasonable.
Data Protection in the News
- Bounty UK
The Information Commissioner’s Office has issued a fine of £400,000 to pregnancy and parenting club Bounty UK for illegally sharing personal data of more than 14 million people with third parties for the purpose of electronic direct marketing
- Third-party Facebook apps
- Kent Police
Kent Police were fined £80,000 after it handed data on a phone belonging to an alleged domestic abuse victim to her partner’s solicitor.
The client, instructing Donoghue Solicitors, received £18,000 in compensation