Roisin Harper

The Garrick Session 2018 – Data Privacy: Data Breach Claims

Previous Post
Next Post

“Where there’s muck, there’s brass”

Before 25th May, a general expectation existed amongst data practitioners that we will see an increase in individuals making claims for compensation because of a data breach. The civil claims that hit the headlines as soon as GDPR came into effect, against companies such as Facebook and Google, involve arguments around data processing for targeted advertising – how can consent be freely given if there is no alternative but to agree to data being used for targeted advertising to use a particular app etc? Regulators across Europe including the UK’s ICO are reporting increases in reported data breaches and complaints. [i]

What we have yet to see is an updated Judgment in this jurisdiction for an individual data subject’s claim for compensation, however, cases decided pre 25th May should still be relevant.


The Updated Legislation

Individuals have the right to compensation for material and non-material damage under GDPR[ii] and the Data Protection Act 2018 specifies that non-material damage includes distress.[iii]


Pre 25th May 2018

Individual data subjects could (and did) pursue claims for compensation under previous data protection legislation.[iv] The judgment in Vidal-Hall v Google[v] made its mark by determining that distress could be a stand-alone head of claim. A claimant pursuing compensation for non-material damage, such as distress, did not need to establish that they also suffered pecuniary loss (material damage) to do so. 

TLT & Ors. v the Secretary of State for the Home Department and The Home Office[vi] followed a year later, with claimants seeking compensation for a data breach that involved the publication of personal data on-line in error.

In terms of the success of the claimants (and failure of the defence), witness performance was key. The consequences of the loss of privacy resulting from the data breach for each claimant and how convincingly they could articulate that, impacted the level of damages awarded.

The impact of the defendant’s behaviour in the aftermath of the breach was also discussed. The failure to alleviate the claimant’s concerns about the data breach, causing further frustration through delayed response and redacting information to the extent that it was incomprehensible, were all noted.

The non-material damages for distress awarded by the judge were described as “not out of kilter” with awards for psychiatric damage. The first two claimants were awarded £12,500, comparable to awards for ‘moderate’ psychiatric/psychological damage. The other claimants’ awards ranged from £2,500 - £6,000, comparable to awarded for less severe psychiatric/psychological damage.

TLT & Ors is a judgment handed down in England and Wales, so what about the NI jurisdiction? CG v Facebook Ireland Limited and Joseph McCloskey[vii] was brought by a plaintiff suing the defendants in connection with a number of posts about him on a Facebook page called ‘Keeping our Kids Safe from Predators 2.’ The plaintiff had been convicted of sex offences, had served his sentence and was living with his father. As a consequence of the postings on Facebook, the plaintiff suffered from verbal and minor physical assaults, with an exacerbation of his pre-existing anxiety disorder. His family was also affected, including his father, brother and disabled child. The plaintiff was awarded £20,000.

As seen in TLT & Ors, the defendant’s actions are called into question, with the court not accepting that Facebook could not have moved more quickly to investigate and remove posts about the plaintiff. The judgment specifically highlights that Facebook,

 “…called no witness to give oral evidence at the trial…[that] meant that the court had no evidence in relation to a number of issues.”

This resulted in the court drawing adverse inference against Facebook, that the system they had in place to identify and remove offending posts “would not withstand independent scrutiny and was inadequate.”

As for the second defendant, his is quoted as posting on Facebook,

…you can’t get blood outta stone I’m skint they can work away…”

The judgement goes on to note that “…he is totally indifferent to the lawlessness of his conduct safe in the knowledge that he cannot suffer any financial penalty.”  


To conclude

Defendants should keep in mind that their actions in response to a data breach will matter. If there are any steps that can be taken to alleviate a potential claimant’s concerns about the consequences of the data breach, these should be actioned in a timely manner.

For further information, contact Roisin


[i] see Guardian article, 26th June 2016

[ii] Article 82

[iii] Chapter 12 Part 6 Section 168                                                

[iv] Data Protection Act 1998 c. 29 Part II Section 13 (repealed)

[v] [2015] EWCA Civ 311

[vi] [2016] EWHC 2217 (QB)

[vii] [2015] NIQB 11 NB arguing a breach of the DPA 1998 was unsuccessful due to geographical limitations since removed by GDPR

Share this post

Aisling Mellon
7 months ago by Aisling Mellon
A driver and passenger made personal injury claims as a result of a rear-end collision in 2016. Acting on behalf of the Defendant vehicle’s insurer,  our investigations uncovered a plethora of issues with the veracity of the accident circumstances.  At the conclusion of the cases, Judge Giplin described the Defendant’s evidence as “sufficient cogent evidence” leading him to conclude that the accident was “fraudulently staged”.  Orders were made against both Plaintiffs to pay the insurer’s costs.

Aisling Mellon
10 months ago by Aisling Mellon
There are two ingredients for vicarious liability: an employment relationship/one akin to employment, plus an act done within the field of employment activities. A useful way of thinking about it is Relationship + Act = Vicarious Liability. There has been a broadening of both sides of the formula. With the Supreme Court case of Mohamud v WM Morrisons Supermarket plc[i], the ‘Act’ part of the formula has gone from an act closely connected to employment, to an act which is in the field of activities of the duties expected of the employee.  With the increase in historical sexual abuse claims, the Courts have had to consider relationships outside of the traditional employer/employee sphere. The first ingredient, the ...