Distress must be directly linked to data breach for consumers to claim compensation, rules Court of Appeal

Out-Law News | 22 May 2013 | 8:10 am | 4 min. read

Businesses do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself, the Court of Appeal has ruled.

In a recently published judgment, the Court said that the Data Protection Act (DPA) does not oblige businesses to pay individuals compensation for distress that causes damage where the distress caused is not attributable to a breach of the Act.

Under section 13 of the DPA a person is generally entitled to compensation if they suffer damage as a result of violations of a section of the DPA by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.

Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]."

Lady Justice Arden, Lord Justice Lloyd and Mr Justice Ryder were ruling on the point whilst assessing what extent of damages a finance company should be liable to pay a consumer, referred to as 'Halliday' in the ruling, in relation to distress suffered by the man.

Halliday had previously won an order from a district court against Creation Consumer Finance Limited (CCF) in which the finance company was ordered to pay £1500 in compensation and legal costs to settle claims that it had breached Halliday's rights under the DPA. CCF was also ordered to end a credit agreement that had been in place with Halliday, delete all of the consumer's personal data from its systems and provide Halliday with a list of organisations it had passed his details onto and ensure that those bodies deleted the information.

However, CCF paid the £1500 it owed Halliday into a closed bank account. The company pursued the bank to have the money returned and then sought to recover the money from Halliday. During this process Halliday noticed that CCF had entered incorrect information about him in their systems that showed that he was £1500 in arrears. Halliday also found out that the information had been shared with credit reference agency Equifax.

Halliday claimed that CCF had breached the terms of the district court order and that he had been "highly distressed" about that fact and "especially when coupled with the court's seeming inability to protect its process from abuse", according to the Court of Appeal's judgment. He said that CCF should have to pay between £6,000 and £18,000 to compensate him for the distress it had caused.

The Court of Appeal said, though, that Halliday could not claim compensation for distress that was not caused by the actual data protection breach itself.

"[In order to be eligible to claim compensation for distress that causes damage under the DPA] it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act,"  Lady Justice Arden said in the Court of Appeal's ruling. "In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements." 

"It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act," the judge said.

The Court said that Halliday's distress had not be directly related to CCF's data protection breach and that therefore the finance company should only have to pay £750 in substantial damages and a further £1 in nominal damages in way of compensation over the case.

Lady Justice Arden said that the breach "did not lead to a loss of creditor reputation" for Halliday and that there was "no proof of any fraudulent or malicious intent on the part of CCF". The breach was caused by a single error only by CCF, she said.

Data risks expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that claims for damages under section 13 of the DPA are often brought in conjunction with other claims.

"It is very rare for claims made under section 13 of the DPA to be brought in isolation," Birdsey said. "More commonly they are made alongside other claims, for example, breach of privacy rights or copyright infringement. The Douglas v Hello! case provides a good example in a privacy context."

"Claimants often find that they have stronger claims based on other causes of action, where the measure of damages is also more significant. Courts tend to award only nominal damages under section 13 of the DPA so any damages awarded tend to pale into insignificance compared to those awarded for privacy or IP claims," he said.

"In addition, individuals can find it hard to show that they have suffered financial harm as a result breaches of the Data Protection Act. There may not be an identifiable financial harm that consumers can point to having suffered unless they have been the victim of fraud, or perhaps incurred other costs, as a result of a data breach where their credit card details were stolen, for example," Birdsey added.