Home Knowledge Damages for Data Breaches? Controllers Beware

Damages for Data Breaches? Controllers Beware

May 22, 2015
Partner
Leo Moore

The Court of Appeal in the UK has decided that damages for data protection breaches can no longer be limited to economic damage.  Instead, following the recent decision in Vidal-Hall v Google, data subjects in the UK can now recover damages for mere distress, potentially opening the floodgates to civil claims against data controllers.

The case concerned Google installing tracking cookies in Apple Safari browsers and collecting, without consent, information about the claimants’ online behaviour. The Court found that this “browser generated information” or “BGI” amounted to personal data for which a data protection claim could be brought. The Court also clarified that, independent of data protection law, data subjects may sue for “misuse of private information”.

In Ireland, the courts have until now interpreted the Data Protection Acts in such a way as to prevent recovery for a mere breach of data protection law without proof of damage. This principle reflects a belief that the meaning of “damage” in Article 3 of the Data Protection Directive does not imply an automatic payment of compensation.

The UK data protection legislation provided a similar bar to recovery, which the Court of Appeal has now decided was not compatible with the meaning of “damage” in the Directive.  The Court observed that the Directive was designed to protect privacy rather than economic rights.  Emphasising that privacy and data protection are fundamental rights under the EU Charter of Fundamental Rights, the Court of Appeal struck down the restriction on recovery for non-economic damage.

While Vidal-Hall v Google is likely to make its way to the UK Supreme Court, the Court of Appeal’s conclusions in respect of fundamental rights are likely to be relied on by claimants seeking damages in Ireland, particularly since the new General Data Protection Regulation (GDPR) will bring such damages into law in all 28 member States. Whether such arguments will carry weight in the Irish courts, where civil actions for data breaches have already increased dramatically, remains to be seen until the GDPR is formally adopted and directly effective in Ireland. 

What is clear is that organisations should review the effectiveness of their data protection policies and practices sooner rather than later. Proper incident detection measures and effective response management to data protection related incidents or complaints are crucial to protect organisations from unwanted civil actions.

Contributed by John Magee

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all