Date:

Privacy Mistakes = Payments For Distress = A Game Changer?

The Court of Appeal has awarded someone £750 for distress arising from a mistaken disclosure of personal data. We skip through the case and digest what it might mean for the future of data protection compliance, given that some data breaches affect thousands of people.

So what happened?

In broad terms a consumer credit company, Creation Consumer Finance Limited, ended up in dispute with one of its borrowers (a Mr or Ms Halliday). The dispute left Creation owing Halliday £1500 and with a court order that all Halliday's data should be deleted from its records.

Creation paid the money it owed Halliday into someone else's bank account by mistake, made a second payment to Halliday, and then sought to get the first payment back.

Bizarrely, Creation sought to recover this money from Halliday. Unsurprisingly Creation went unpaid and later dropped the proceedings, but not before they had inaccurately informed a credit reference agency that Halliday owed them money.

Halliday was presumably quite annoyed by all this. In any case, he/she brought proceedings to enforce the original court order on the basis that Creation must have continued to hold his/her personal data, and for passing inaccurate information on to the credit reference agency.

What legal points came into play?

It looks like Creation breached the Data Protection Act 1998 in at least two areas (sadly the breaches made out are not completely clear from the available Court reports).

  1. They almost certainly breached the fourth data protection principle (accuracy) in using an inaccurate record - namely their record that Halliday owed them money - and then compounded this breach by sharing it with the credit reference agency.
     
  2. They may have breached the fifth data protection principle (data retention) in holding on to the original personal data they had on Halliday after it ceased to be necessary for the purposes of the consumer credit agreement (and in breach of court order).

Although not widely used, section 13 of the Data Protection Act 1998 (DPA) gives the right to individuals to sue for compensation in two key situations, both of which were triggered in this case.

Specifically, an individual can:

  • claim damages for any losses they suffer (e.g. if Halliday's credit rating had been hit, and they had missed out on other loans as a result)
     
  • where they have sufferred losses, also claim compensation for distress.

Why an award for distress? (Forgive us, but this does include a bit of legal analysis!)

Both the judge at the original trial and the Court of Appeal felt that Creation's mistake was a technical one. Halliday had not really lost anything. There was no evidence of actual harm to their credit rating or reputation. On this basis, the original trial judge only awarded Halliday nominal damages for loss (£1!). Given the way the DPA is worded, the original judge logically felt a claim for distress could not be made out as no real losses had been suffered.

The Court of Appeal disagreed. Frustratingly, the current Court reports do not really explain why. (See our "editors" comment below). Our best guess is that the Court of Appeal felt a nominal loss was enough to trigger a distress claim. In short, "nominal loss" is not the same as "no loss".

This position may seem artificial, but it does make sense both in law and practice:

  • Nominal damages are there to recognise a civil wrong (i.e. Creation's breach of the DPA) because this is morally the correct thing to do. This position applies even where actual harm cannot be ascertained e.g. because little or no evidence is put forward.
     
  • In Halliday's case, it looks like the Court of Appeal did think that there was some possibility of harm, albeit unquantified, to Halliday's reputation and credit. In awarding nominal damages, the Court was recognising this fact, and in doing so opened up the possibility for Halliday to claim distress as well.
     
  • In layman's terms, Halliday might not have been actually harmed by Creation's DPA breach, but he/she could have legitimately worried about its ramifications. In this situation there is obvious logic in allowing Halliday to claim for distress.

How did the Court of Appeal calculate the level of compensation for distress?

That is a very good question we cannot answer due to the thin nature of the current Court reports. (See our "editors" section below).

Halliday wanted the Court of Appeal to follow previous discrimination caselaw, but the Court felt this was unhelpful and seemed to have treated the issue on its own merits.

Interestingly, distress awards in discrimination claims can run into many £1,000s. In taking the line it did, the Court of Appeal has placed privacy and data protection "distress" in a seemingly far lower category, which is probably fair.

So what does all this mean in practice?

In and of itself, this case is obviously not going to change the world.

Its true importance only arises when put in context.

We have the public becoming gradually more privacy aware, and arguably more concerned about privacy issues, especially trust. The ICO is increasingly agitating for greater powers and a tougher line from the Courts. We also have the EU looking to beef up individuals' rights, oblige organisations to tell individuals of data breaches, and encourage class litigation, all through its draft General Data Protection Regulation.

Put these factors together and an increase in the numbers of individuals bringing data breach claims seems likely. Against this backdrop, the right for one individual to recover £750 for distress where they suffered no real loss, all of a sudden feels like a big issue.

To illustrate, the ICO recently said that over 800,000 people were affected by breaches of the current Data Protection Act in the 3 months to March this year. Under the proposed new Regulation, all of these people would have been told of the breach that affected them. Even if only 10% also knew of their right to claim distress and were actually bothered to raise the point, this amounts to a potential total liability of £6m a quarter for organisations in breach, excluding associated legal and admin costs.

The point is even more startling if you look at another specific case. Torbay County Council accidentially published over 1,300 people's sensitive personal data on its website in 2011, It published each individual's name, date of birth, National Insurance number, race, disability status and ethnicity, i.e more than enough to trigger attempts at fraud or abuse. No one is quite sure how many people saw the information, but the ICO investigation pointed to around 300. The information was available for 19 weeks. To the casual observer, you'd have thought that each affected individual would have had a decent claim for distress. If they had each done so at the same level as Halliday, this would have added a further £975,000 to Torbay's overall bill (which already included a £175,000 fine from the ICO and no doubt a decent amount of remedial and process improvement costs).

We should not over-exaggerate this hypothetical picture though. Halliday is an exceptional case. People do not currently appreciate their rights, or generally have the wherewithal to bring a claim, let alone win, and the legal industry has not yet woken up to the possibility of volume claims in this area. Will this picture change in due course? We will have to wait and see.

Quick aside on the draft General Data Protection Regulation.

In the interests of accuracy, we should point out that the draft General Data Protection Regulation does not contain an express right to claim compensation for distress. That said, neither does the current EU Directive on which the DPA is based. The right to claim distress came about through the UK government's interpretation of the Directive when translating it into UK law, no doubt because they felt a claim for distress was appropriate, and also to reinforce the general law in this area.

Given that the draft Regulation will directly replace the DPA, it remains to be seen whether the European courts and data protection regulators, including our own in the UK, will interpret the general right to compensation for "damage" in the draft Regulation to allow distress awards. Again, only time will tell.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.