The use of data harvesting (legal or otherwise) has been a part of our life in recent years with the advent purchase of goods and services online and social media interaction such as Twitter and Facebook. The personal data held on you can be vast. All companies have a duty not to misuse your personal data and to keep it secure.
Any breach or misuse of your personal data may cause you harm and distress giving a rise to compensation against the company at fault for distress even though no financial loss has been suffered. It can be enough to show that the company who has mis-used or lost your data to a third party due to cyber crime/hacking may have to pay you compensation for the distress caused.
Compensation for Distress of Data Breach
A claim for compensation can be made following the important decision of Vidal-Hall and others v Google Inc; where the Court of Appeal in London (UK) held that a claim for distress suffered by the privacy breach can sound in damages even though there was no financial loss (see below for more details).
However pre-GDPR the compensation awards were quite low from about £750. But in the celebrity breach of privacy claims for 'phone hacks' etc Gulati & Ors v MGN Limited confirmed damages over £250,000. However in more recent cases involving the misuse of personal data TLT v Secretary of State for the Home Department  EWHC 2217 (QB) compensation amounts between £2,500 to £12,500. Please remember no financial loss was suffered, it was a compensation award for distress caused.
Commons Personal Data Held On You
- your name
- your address
- your date of birth
- your email address
- your telephone numbers
- your credit card details
- your bank details
- your password(s)
- and much much more!
Cyber crime now plays a high risk to individuals where data about you has been stored electronically. With criminal hacking, breaches and access to unauthorised data, the whole subject of data protection breaches should now be a priority to organisations who hold information about you.
The whole problem has come to light in the following data breaches:
- Morrisons Supermarket - personal breach of data - payroll by disgruntled employee
- British Airways Breach of Personal Data
- Dixons Carphone Admits Huge Data Breach
- UK Home Office data breach
- Ancestry.com data leak
- Yahoo data protection hack
- Vodaphone data breach
- Butlins data hack - stolen details (‘34,000 guest records may have been accessed by hackers’);
- Ticketmaster - recent data security incident.
- Greenwich University (serious breach - fined by the Information Commissioner's Office)
- and many more...
The Data Protection Act - The Law UK
The Data Protection Act 1998 has been replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The latest guidance on data protection law, can be found on the ICO webiste: Guide to the GDPR.
In May 2018, you may have noticed that you received a lot of emails from companies talking about something called ‘GDPR’. You probably ignored these emails, or marked them as junk, because no one likes to receive spam. But GDPR is about more than no longer receiving updates from Tesco about upcoming offers, it is supposed to protect your personal data from being misused.
The ‘European Union General Data Protection Regulations’ (GDPR) became law in this country in 2018 and has been supported by a new Data Protection Act. Under this law, every person throughout the European Union has the right to challenge companies or institutions that are misusing their personal data; you have a fundamental right to have your data protected, and no one can take that away from you.
The law does not apply to individuals who may be misusing your data, but companies and institutions that are using your data in professional or business activities. So the regulation won’t stop your Mum from ‘accidentally’ posting the address of your new house on Facebook, but will stop companies like John Lewis from selling your address to advertisers without your permission.
European Convention on Human Rights - Right to Privacy
Compensation has for data misuse is also inter-related with your right to privacy under Article 8 of the European Convention on Human Rights (ECHR) (right to a private and family life).
A important case was that of JUITH VIDAL-HALL (2) ROBERT HANN (3) MARC BRADSHAW v GOOGLE .
This is a case with the individuals who sued Google used Apple's web browser, Safari. The claimants complaint was based on the distress suffered from learning that their 'personal characteristics' formed the basis for Google's targeted advertisements, or from having learnt that such matters might have come to the knowledge of third parties who had used or seen their devices. The claims were exclusively for distress and anxiety, but no financial damage. It was alleged that their personal information was not respected despite the fact that the claimants had set their privacy settings in the browser to block third party cookies.
This case confirmed and set the tone that such a breach could amount to a claim in the UK for distress of the mis-use of data/breach of privacy. That compensation can be made even though no actual financial loss occurred.
What Is My Personal Data?
According to the GDPR, personal data means:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Put simply, your personal data is any data that can be used to identify you as an individual. This is information such as your name, address, telephone number, email address, bank details, or national insurance number. It doesn’t have to be all of them, just one can be enough.
For example, an online company selling information about you, that you have brown hair is allowed: that information cannot identify you personally, as lots of people also have brown hair. However, if the company sells the information that you have brown hair and live at 98 Rose Lane, Liverpool, then you could potentially be identified, and this could be a breach of the data protection laws that are there to protect your identity and privacy.
Selling Your Data
Selling your personal data was common place. When you purchased goods or services online, the terms and conditions had a pre-tick or automatically opt in consent to sell/send your data to other 'partners' or 'third parties' at their discretion. This included your phone number much to an annoyance of 'cold calls' for mis-sold PPI and road traffic accident claims. However, as you had consented to the selling of your data, it is deemed not to be a cold call so there was no mis-use of your data.
Following the GDPR, companies are getting smarter, and appear to have stopped selling data without first getting permission to do so. However, under this law, companies still have a duty to protect the information that they hold about you. This means that they must do everything possible to stop other people from taking your data by hacking their system.
Compensation for Distress and Loss Following Breach
- Can you do something about the loss and possible misuse of your personal data?
- Can you claim compensation for data protection breaches?
- Can I claim if I have not suffered any financial loss?
The answer is yes to the questions providing the data can be said to identify you and has indeed caused you distress and or loss. However you must be aware:
- You can claim providing the loss of data or breach can identify you. It does not have to be by your name or address as such. Each breach will be taken on its facts.
- The distress must be more than minimal. There must be a real cause of concern about the loss or breach.
- If there is a loss of credit card details for example, if the card is in joint names, despite the fact that the main card holder may claim, the joint card holder may also claim as they can also be identified.
What Can I Do About Making A Claim For Distress?
If an organisation whose data has been breached resulting in a data breach and loss your personal data, you may be able to claim compensation for distress (even though you have not personally suffered any financial loss) in addition to claiming back any other consequential losses.
Contact us to see how our experienced team of solicitors can help. We specialise in data protection breaches and loss for compensation.