11 March 2016
Data Breach Claims Aren’t Just for Financial Losses
The Data Protection Act 1998 (DPA) is in place to protect your personal data and does so by placing obligations on organisations as to how they handle that data. So, what can you do if you believe your data has been used unlawfully?
When you give your personal information to a third party, they have a duty to look after that data and ensure that it’s only used for the purpose that they need it for. If they use it for something that you haven’t agreed to then they may have breached the DPA. For example, you give your details to website X to buy some clothes. Here, the website is the data controller. You tick the box that says “don’t share with third parties” so you don’t get spam emails, but you end up getting contacted by numerous and apparently random businesses who say they got your details from website X. As website X had your personal details for the specific purpose of selling clothes to you, it has breached the DPA by passing on your details to third parties without permission.
The example given here is just one of the ways in which an organisation might breach the DPA. Other ways a breach of the DPA can occur include accidental /unlawful destruction, lost data, unauthorised disclosure or access, or if the data is processed in a way that you did not agree to.
The DPA states that you are entitled to compensation from the data controller if you suffer damage due to your data being used unlawfully. In the example above, it would be unlikely that you would have suffered financial loss as a result of website X passing your details to a third party. Prior to 2015, to establish a claim you would have to prove that you had suffered financial loss as a result of the DPA breach, but the position changed from March 2015.
In the case of Vidal-Hall v Google, the claimants sued Google for breach of confidence, misuse of private information, as well as breach of the DPA despite the fact they had not suffered any financial loss. They alleged that Google had been collecting private information about their internet usage from their Safari internet browser without their knowledge or consent, and that Google then used this information in offering commercial services to advertisers.
The Court of Appeal considered the underlying purpose of the DPA was to protect privacy rights rather than economic rights. It held that ‘damage’ should include non-financial damage and therefore disapplied the requirement to prove financial loss. The decision in this case means that anyone who has suffered distress can potentially bring a claim for compensation against an organisation which has used their data unlawfully.
The financial implications for businesses are significant, because individuals can now bring claims where previously they could not, and if there is a large breach with hundreds (or even thousands) of people affected, the financial impact could be huge.
If you believe your data privacy has been breached and you have suffered distress and/or financial loss, then you will need expert legal advice from data protection lawyers. Slater and Gordon have an experienced team who can help. Call us on freephone 0800 916 9081 or contact us online and we will call you.