Everyone knows the concept of ambulance chasers – personal injury lawyers who seek out victims of accidents or negligence to help/persuade the latter to make compensation claims. With today’s judgment in the Court of Appeal in the case of Vidal-Hall & Ors v Google [2015] EWCA Civ 311 one wonders if we will start to see data protection ambulance chasers, arriving at the scene of serious “data breaches” with their business cards.
This is because the Court has made a definitive ruling on the issue, discussed several times previously on this blog, of whether compensation can be claimed under the Data Protection Act 1998 (DPA) in circumstances where a data subject has suffered distress but no tangible, pecuniary damage. Section 13 of the DPA provides that
(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a)the individual also suffers damage by reason of the contravention
This differs from the wording of the European Data Protection Directive 95/46/ec, which, at Article 23(1) says
Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered
It can be seen that, in the domestic statutory scheme “distress” is distinct from “damage”, but in the Directive, there is just a single category of “damage”. The position until relatively recently, following Johnson v Medical Defence Union [2007] EWCA Civ 262, had been that it meant pecuniary damage, and this in turn meant, as Buxton LJ said in that case, that “section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered”. So, absent pecuniary damage, no compensation for distress was available (except in certain specific circumstances involving processing of personal data for journalistic, literary or artistic purposes). But, this, said Lord Dyson and Lady Justice Sharp, in a joint judgment, was wrong, and, in any case, they were not bound by Johnson because the relevant remarks in that case were in fact obiter. In fact, they said, section 13(2) DPA was incompatible with Article 23 of the Directive:
What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA
As Christopher Knight says, in a characteristically fine and exuberant piece on the Panopticon blog, “And thus, section 13(2) was no more”.
And this means a few things. It certainly means that it will be much easier for an aggrieved data subject to bring a claim for compensation against a data controller which has contravened its obligations under the DPA in circumstances where there is little, or no, tangible or pecuniary damage, but only distress. It also means that we may well start to see the rise of data protection ambulance chasers – the DPA may not give rise to massive settlements, but it is a relatively easy claim to make – a contravention is often effectively a matter of fact, or is found to be such by the Information Commissioner, or is conceded/admitted by the data controller – and there is the prospect of group litigation (in 2013 Islington Council settled claims brought jointly by fourteen claimants following disclosure of their personal data to unauthorised third parties – the settlement totalled £43,000).
I mentioned in that last paragraph that data controller sometimes concede or admit to contraventions of their obligations under the DPA. Indeed, they are expected to by the Information Commissioner, and the draft European General Data Protection Regulation proposes to make it mandatory to do so, and to inform data subjects. And this is where I wonder if we might see another effect of the Vidal-Hall case – if data controller know that by owning up to contraventions they may be exposing themselves to multiple legal claims for distress compensation, they (or their shareholders, or insurers) may start to question why they should do this. Breach notification may be seen as even more of a risky exercise than it is now.
There are other interesting aspects to the Vidal-Hall case – misuse of private information is, indeed, a tort, allowing service of the claims against Google outside jurisdiction, and there are profound issues regarding the definition of personal data which are undecided and, if they go to trial, will be extremely important – but the disapplying of section 13(2) DPA looks likely to have profound effects for data controllers, for data subjects, for lawyers and for the landscape of data protection litigation in this country.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
I may ring my lawyer on the strength of this, having been ‘banned’ from pursuing DP (and FOI) statutory rights by (I think) the then monitoring officer at Cheshire West and Chester Council, sans any member scrutiny.
The ‘ban’ lasted 20 months and I may even have been unable to exercise what are known as my ‘Human Rights’ – at least according to the ICO.
I think it could be worth dipping my toe in the water, although I wouldn’t be so crass as to describe my approach as ‘ambulance chasing’. Certainly not.
Thanks for your comment Paul, bear in mind my flippant (crass if you like) ambulance-chasing reference was, for obvious reasons, to lawyers, not claimants. I’d hope that was clear from the post.
Thank you Jon. Point taken
Pingback: Data privacy: the tide is turning in Europe – but is it too little, too late? | NO2NSA
Pingback: Data privacy: the tide is turning in Europe – but is it too little, too late? – The Guardian | Everyday News Update
There is an important issue about compatibility – can email you a short case note
That would be great Joseph, thanks. You may have my email address but I’ll send you a Twitter DM just in case not.
Pingback: Carphone Warehouse and the DPA risks | informationrightsandwrongs
How seriously would it be viewed if the breach of confidentiality was due to non-compliance by local authority with NHS Statutory Restrictions on data handling issued in 1974 and underpinning section 46 of ‘Confidentiality – NHS Code of Conduct’ all local authorities must follow. By disclosing individual’s information which it was not entitled to have in the first place, according to the Department of Health? The disclosure having caused serious damage to one’s general health and great degree of distress and anxiety, all well documented?
I’m afraid I simply couldn’t say. That would be a matter for the court (or the Information Commissioner).
Thanks. It would be therefore more for a court to decide, as the ICO told me that as the legislation which is an NHS Statutory Restriction on data handling is outside of his remit, he cannot comment and any violations should be reported to the NHS. However, the NHS referred me to the Department of Health – who referred me back to the NHS, and so on it goes… Could I therefore use para 13 in this case, without actually having reported the breach?
I’m not sure I fully understand – can you point me to the specific legislation you are referring to? If ICO doesn’t think this is within its remit then I don’t see how it could be a contravention of the Data Protection Act 1998 giving rise to the possibility of a claim under section 13 of the same.
Thanks for reply. Indeed why should it be a contravention of the DPA when the matter is outside of the DPA. The legislation I am referring to is the NHS(Venereal Regulations)1974, which control the disclosure of a newly added medical condition, that of HIV. The unauthorised disclosure of person’s HIV status happened due to Council’s non-compliance wit his Notice (para 10), which required the Council to see his explicit written consent when contemplating disclosure and to remove any HIV related information from his files not directly involved in his medical care. Although the individual requested a confirmation from the Council, it failed to provide one. Most importantly, it failed to reply within 28 days as it was obliged to do by para (10(-(3). It did not remove the specific information and it was disclosed some 16 months later without his knowledge/consent. Therefore, he can now avail himself of para 13 due to the breach of para 10-(3). My colleague Frank Christie has asked questions about this elsewhere on this website, way back in 2015/ early 2016.
The ICO is not aware about the breach of para 10-(3). He is not required to be told, as he can only issue an ‘assessment’, which they courts are not obliged to consider. It is worthless.
Strangely, not a single sole is sure who should deal with this serious disclosure, which has caused the individual considerable damage to his general health and unwarranted distress and anxiety, requiring urgent hospitalisation in early 2014.
hope this helps
PS: The only comment the ICO made is as the disclosure of information was in breach of the NHS Statutory Restrictions it would be a breach of the 1st Principle ‘processed lawfully …’
Pingback: Data Protection distress compensation for CCTV intrusion | informationrightsandwrongs
Pingback: Data Protection (and other) compensation awarded against Ombudsman | informationrightsandwrongs
Pingback: A royal letter before claim | informationrightsandwrongs