Has it changed the rules in the Data Protection Act 1998 (DPA) for handling personal data? – no it hasn’t.
So why all the fuss about this case? - because it has big implications for the level of compliance risk that organisations have under the DPA and related privacy laws.
Previously, many breaches of the DPA fell out of scope of DPA compensation rights because, although a breach may have caused an individual distress, they had no right to compensation for distress unless they had also suffered ‘damage’. This case claimed ‘severe distress and anxiety’ to have been caused by the unexpected capture of the claimants’ web browsing habits (through the placing of cookies on Apple Safari browsers) and potential for disclosure of the claimants’ interests and ambitions (through targeted advertising appearing on devices being used by them).
Whilst the court did not rule whether, based on these facts, the claimants had suffered ‘damage’, importantly, it held that ‘damage’ does not have to involve monetary damage. Consequently, the threshold for damage is potentially lowered, and in turn opens up potential to distress as a head of claim not previously contemplated. This has led to fears of the floodgates opening to compensation claims under the DPA and organisations are therefore urged to consider whether they need to review their risk exposure.
The requirement to be transparent about placing cookies on devices to create and use behavioural profiles, or to obtain, where necessary, consent to send marketing communications by electronic and other means, is by no means novel. However, this ruling could lead to greater ease for recipients of unwanted direct marketing to also claim compensation under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and not only in the business to consumer context, but for business to business (B2B) marketing. Organisations may therefore wish to consider whether their B2B marketing activities are as firmly embedded into their compliance practice and risk profiles as in business to consumer marketing.
Businesses need to look beyond merely whether their privacy notices are adequate and any necessary consents are being obtained. As compensation provisions in the DPA apply to breaches of any requirement of the DPA, they may wish to examine any other pressure point areas and re-assess risk. For example:
- Are data subject access requests being dealt with promptly?
- Are marketing suppression requests effectively actioned?
- Are regular checks undertaken to update and cleanse personal data?
- Is a privacy impact assessment undertaken before personal data is routinely shared with third parties?
- Do contracts with suppliers have robust provisions to protect the personal data they handle on the behalf of your organisation and have they been reviewed to reflect market and technological changes (e.g. the use of cloud based services)?
- What do customers or employees most commonly complain about to your organisation regarding the handling of their personal information?
It remains to be seen what in practice will amount to non-monetary damage for the purposes of compensation claims under the DPA and/or PECR.
However, the case is a reminder of the need for businesses to have good governance, procedure and policy around its handling of personal data. The Information Commissioner urges organisations to ensure their practices meet with the current law, in preparation for the long debated Data Protection Regulation. Recent reports that it is set to be unveiled at the end of 2015 is another good reason to take stock.
On a positive note, good compliance isn’t all bad news - a review of current practices also brings with it the opportunity to increase customer trust and to explore new ways to make the most of commercial opportunities for use of customer data.
UPDATE: 18 August, 2015
Google have been granted leave to appeal the court's decision in the Vidal Hall case. In a wider development on the right to be forgotten, the ICO served a formal notice requiring Google to remove out of date conviction information under ‘Right to be Forgotten’ law. View more»
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.