In 2015 the Court of Appeal ruled, in the case of Vidal-Hall v Google, that compensation under the DPA could be awarded for distress alone.
Google appealed this aspect of the judgment to the Supreme Court however the appeal was withdrawn following an agreement being reached between the parties. The ICO is currently reviewing this guidance to reflect the ruling.
In brief – what does the Data Protection Act say about the right to compensation?
If an individual suffers damage because you have breached the Act, they are entitled to claim compensation from you. This right can only be enforced through the courts. The Act allows you to defend a claim for compensation on the basis that you took all reasonable care in the circumstances to avoid the breach.
In more detail…
Does the Act define “damage”?
No. But an individual who has suffered financial loss because of a breach of the Act is likely to be entitled to compensation.
A customer of an internet mail order company has been the subject of a security breach. All his information, including his credit card details, was freely available on the internet for almost 24 hours before the site was taken down. He has had to freeze his credit card account and is worried that he will be a victim of identity fraud.
He does not trust the company not to do this again. They had been the cause of a previous security breach, and at that time he had asked to have his details removed from their customer list. He asks the court to award him compensation. The court may do so if the individual can show that he has suffered financial loss because of the breach of the Act.
What about distress?
In many cases, a breach of the Act will not cause an individual financial loss, but it may be distressing to find that personal data has been processed improperly. If an individual has suffered damage, any compensation awarded may take into account the level of any associated distress, but distress alone will not usually be sufficient to entitle an individual to compensation (unless the processing was for the purposes of journalism, literature or art).
An individual’s name is entered onto an employee fraud database without justification. The individual is understandably distressed to discover the implication that he is a fraudster. However, the information about him is removed from the database before he applies for a new job, and so he suffers no damage as a result of the error. The employee has no entitlement to compensation for distress alone.
In the previous example, the fact that the individual’s name appears on the fraud database prevents him from obtaining a job he has applied for. He suffers financial damage as a result. He is entitled to claim compensation for this damage and for the distress he has suffered as well.
What level of compensation might be involved?
There are no guidelines about levels of compensation in this area. Often, the parties can reach agreement about the amount of compensation which is appropriate. If they cannot agree, the court will have to decide. If an individual claims a certain amount in compensation, they will need to be able to show how your failure to comply with the Act has resulted in their incurring that amount of loss or damage.
The ICO cannot award compensation, or give advice on the appropriate level of compensation, even where we have made an assessment that an organisation is likely to have breached the Act.
Can you defend a claim for compensation?
You can obviously defend a claim if you have not breached the Act. If there has been a breach, you can still defend a claim for compensation, but only if you can show that you took such care as was reasonably required in the circumstances to comply with the Act. What you will have to prove will depend on the nature of the breach in question. What is reasonable will depend on the circumstances.
In data protection terms, this means that you have looked at the way you process and protect personal data and that you put in place appropriate checks to prevent any problems occurring. Your defence may rely on describing these checks. Some form of positive action is often necessary and, if a reasonable step or precaution has not been taken, then the defence is likely to fail.