The Court of Appeal in the UK has decided that damages for data protection breaches can no longer be limited to economic damage. Instead, following the recent decision in Vidal-Hall v Google, data subjects in the UK can now recover damages for mere distress, potentially opening the floodgates to civil claims against data controllers.
The case concerned Google installing tracking cookies in Apple Safari browsers and collecting, without consent, information about the claimants’ online behaviour. The Court found that this “browser generated information” or “BGI” amounted to personal data for which a data protection claim could be brought. The Court also clarified that, independent of data protection law, data subjects may sue for “misuse of private information”.
In Ireland, the courts have until now interpreted the Data Protection Acts in such a way as to prevent recovery for a mere breach of data protection law without proof of damage. This principle reflects a belief that the meaning of “damage” in Article 3 of the Data Protection Directive does not imply an automatic payment of compensation.
The UK data protection legislation provided a similar bar to recovery, which the Court of Appeal has now decided was not compatible with the meaning of “damage” in the Directive. The Court observed that the Directive was designed to protect privacy rather than economic rights. Emphasising that privacy and data protection are fundamental rights under the EU Charter of Fundamental Rights, the Court of Appeal struck down the restriction on recovery for non-economic damage.
While Vidal-Hall v Google is likely to make its way to the UK Supreme Court, the Court of Appeal’s conclusions in respect of fundamental rights are likely to be relied on by claimants seeking damages in Ireland, particularly since the new General Data Protection Regulation (GDPR) will bring such damages into law in all 28 member States. Whether such arguments will carry weight in the Irish courts, where civil actions for data breaches have already increased dramatically, remains to be seen until the GDPR is formally adopted and directly effective in Ireland.
What is clear is that organisations should review the effectiveness of their data protection policies and practices sooner rather than later. Proper incident detection measures and effective response management to data protection related incidents or complaints are crucial to protect organisations from unwanted civil actions.
Contributed by John Magee