Unfortunately, there are more data breaches within businesses than desirable. Often, these data breaches will result simply with a lesson learned, rather than any legal action being taken. However, it is important to always be prepared for the possibility of customers involved in the breach taking legal action against you.
Are they within their rights to do so, and will an individual have the ability to claim compensation from your business after a data breach?
This issue was seen recently with Google, after individuals claimed that the company breached the data protection law. The three individuals involved in this Vidal-Hall v Google case asserted that Google had been collecting private information about how they used the internet through the Safari browser on Apple devices. The company had allegedly stored this information without their knowledge or agreement and had gone on to use this data as a part of its marketing offer to advertisers.
The claimants didn’t seek damages for loss of money, but did want compensation for the worry and distress caused by the data breach.
According to section 13 of the UK Data Protection Act 1998, it is indicated that proof of actual monetary loss is required in order to successfully gain compensation. However, in this case, the UK Court of Appeal decided that there was good enough reason for the victims to claim damages and that, in spite of the UK DPA, proof of such measurable loss was not necessary for the claimants to receive their compensation.
The particular section of the Data Protection Act suggests, in broad terms, that if someone suffers damage as a result of a data breach, they are entitled to such compensation. Whilst this doesn’t exactly state that this damage is of a measurable value, it is what is indicated. The act does state that compensation for distress is payable in certain circumstances.
However, these ‘certain circumstances’ are not specified, suggesting that it is up to individual judges to make an informed decision based on the case they are dealing with at the time and other legal information available to them.
It should be said that the judge did not base this decision solely on personal opinion; section 23 of the EU directive was consulted, in which there was evidence to support the victims’ claims. The directive advises that EU Member States must ensure that anyone who suffers damages because of a data breach should receive compensation for these damages.
The Court of Appeal concluded that, in this context, ‘damages’ should include both material (i.e. monetary) and non-material (i.e. emotional) damage.
Of course, this decision was based on preliminary information, and the final judgement could have been different to these initial decisions. However, the fact that the judge was able to use other legal material to interpret the DPA differently the most basic reading of the document means that the case certainly proves a point: even when you think you are ‘safe’, you may not be.
Businesses should focus heavily on protecting any data, both new and old, in order that they comply with the UK DPA. Now there is even more of an incentive to avoid having to compensate any individuals affected in such a breach.
The correct procedures for IT asset disposal will play a major part in protecting against these types of loss.