“Where there’s muck, there’s brass”
Before 25th May, a general expectation existed amongst data practitioners that we will see an increase in individuals making claims for compensation because of a data breach. The civil claims that hit the headlines as soon as GDPR came into effect, against companies such as Facebook and Google, involve arguments around data processing for targeted advertising – how can consent be freely given if there is no alternative but to agree to data being used for targeted advertising to use a particular app etc? Regulators across Europe including the UK’s ICO are reporting increases in reported data breaches and complaints. [i]
What we have yet to see is an updated Judgment in this jurisdiction for an individual data subject’s claim for compensation, however, cases decided pre 25th May should still be relevant.
The Updated Legislation
Pre 25th May 2018
Individual data subjects could (and did) pursue claims for compensation under previous data protection legislation.[iv] The judgment in Vidal-Hall v Google[v] made its mark by determining that distress could be a stand-alone head of claim. A claimant pursuing compensation for non-material damage, such as distress, did not need to establish that they also suffered pecuniary loss (material damage) to do so.
TLT & Ors. v the Secretary of State for the Home Department and The Home Office[vi] followed a year later, with claimants seeking compensation for a data breach that involved the publication of personal data on-line in error.
In terms of the success of the claimants (and failure of the defence), witness performance was key. The consequences of the loss of privacy resulting from the data breach for each claimant and how convincingly they could articulate that, impacted the level of damages awarded.
The impact of the defendant’s behaviour in the aftermath of the breach was also discussed. The failure to alleviate the claimant’s concerns about the data breach, causing further frustration through delayed response and redacting information to the extent that it was incomprehensible, were all noted.
The non-material damages for distress awarded by the judge were described as “not out of kilter” with awards for psychiatric damage. The first two claimants were awarded £12,500, comparable to awards for ‘moderate’ psychiatric/psychological damage. The other claimants’ awards ranged from £2,500 - £6,000, comparable to awarded for less severe psychiatric/psychological damage.
TLT & Ors is a judgment handed down in England and Wales, so what about the NI jurisdiction? CG v Facebook Ireland Limited and Joseph McCloskey[vii] was brought by a plaintiff suing the defendants in connection with a number of posts about him on a Facebook page called ‘Keeping our Kids Safe from Predators 2.’ The plaintiff had been convicted of sex offences, had served his sentence and was living with his father. As a consequence of the postings on Facebook, the plaintiff suffered from verbal and minor physical assaults, with an exacerbation of his pre-existing anxiety disorder. His family was also affected, including his father, brother and disabled child. The plaintiff was awarded £20,000.
As seen in TLT & Ors, the defendant’s actions are called into question, with the court not accepting that Facebook could not have moved more quickly to investigate and remove posts about the plaintiff. The judgment specifically highlights that Facebook,
“…called no witness to give oral evidence at the trial…[that] meant that the court had no evidence in relation to a number of issues.”
This resulted in the court drawing adverse inference against Facebook, that the system they had in place to identify and remove offending posts “would not withstand independent scrutiny and was inadequate.”
As for the second defendant, his is quoted as posting on Facebook,
“…you can’t get blood outta stone I’m skint they can work away…”
The judgement goes on to note that “…he is totally indifferent to the lawlessness of his conduct safe in the knowledge that he cannot suffer any financial penalty.”
Defendants should keep in mind that their actions in response to a data breach will matter. If there are any steps that can be taken to alleviate a potential claimant’s concerns about the consequences of the data breach, these should be actioned in a timely manner.
For further information, contact Roisin
[ii] Article 82
[iii] Chapter 12 Part 6 Section 168
[iv] Data Protection Act 1998 c. 29 Part II Section 13 (repealed)
[v]  EWCA Civ 311
[vi]  EWHC 2217 (QB)
[vii]  NIQB 11 NB arguing a breach of the DPA 1998 was unsuccessful due to geographical limitations since removed by GDPR