Out-Law / Your Daily Need-To-Know

Out-Law News 4 min. read

Data protection compensation claim fails to prove 'damage'

Businesses that breach UK data protection law or misuse personal information are not automatically obliged to pay compensation to people affected by that breach, the High Court in London has confirmed.

Mr Justice Warby outlined the position in a ruling on Monday issued in a case involving internet giant Google.

Richard Lloyd, former executive director of consumer watchdog Which?, had lodged a claim against Google arguing for compensation for him and approximately 4.4 million others in England and Wales over an alleged breach of UK data protection laws by the company over a number of months in 2011 and 2012.

However, the High Court dismissed the claim on the basis that Lloyd had failed to show that those affected by the alleged breach had suffered 'damage'.

The dispute concerned Google's placing of advertising tracking cookies on the devices of users of Apple's 'Safari' operating system in England and Wales between June 2011 and February 2012. The cookies tracked users' internet use when they visited websites within Google's 'DoubleClick' advertising network.

Google previously settled two cases in the US that were brought against it by federal and state regulators respectively. The company stopped tracking Safari users and showing them personalised advertising once the issue was brought to its attention.

Lloyd specifically challenged whether Google had fulfilled its duties under the Data Protection Act (DPA) of 1998 – the legislation in place at the time of the tracking – to process personal data fairly and lawfully, for specified and lawful purposes and had taken appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data or against its accidental loss, destruction or damage.  Lloyd lodged a claim for compensation under the DPA.

Under section 13 of the DPA, a person is generally entitled to compensation if they suffer damage as a result of an infringement of a section of the DPA by organisations that control their personal data. The Court of Appeal in London previously clarified that 'damage' can mean distress and is not just limited to financial damage.

Mr Justice Warby ruled, though, that the claim against Google did not "disclose a basis for seeking compensation" under the Act. Nothing in the claims made by Lloyd "contains a description of something that, of itself, counts as 'damage'", he said.

People raising claims for compensation under the DPA must be able to show that there has both been a contravention of a requirement of the DPA and that, as a result, they have suffered damage, the judge said. The fact of a breach on its own does not give rise to the right to compensation, he said.

"Even if the data controller had no justification for its conduct, and was found in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach," the judge said.

Mr Justice Warby said that Lloyd's arguments relating to the right to compensation had been based on case law concerning damages for misuse of private information and the wrongful use of property. However, he said that the right to damages for misuse of private information is not automatic either.

The judge said that while the case law supports the possibility of damages being awarded for misuse of private information in the absence of material loss or distress, it does not mandate the award of compensation in such cases.

He also said that it cannot be presumed that every person affected by the non-consensual disclosure or use of their private information would have objected to that.

"I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the inference with autonomy that it involves," Mr Justice Warby said. "Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable or unwelcome… Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent."

"Neither category suffers from 'loss of control' in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgement assert any case of harm to the value of any claimant's right to autonomy that amounts to 'damage' within the meaning of [section 13 of the DPA]," he said.

The judge also concluded that the claim raised by Lloyd failed to fulfil "the essential requirements for a representative action". He said Lloyd and the others that would join the case against Google could not be said to be pursuing the "same interest", as is required under the civil procedure rules of the court.

Mr Justice Warby accepted Google's arguments that "the existence of a common grievance against the same defendant is not enough to satisfy the 'same interest' condition". He said all members of a representative action must be shown to have "suffered the same damage". He also said the representative action procedure is "unavailable" where businesses can raise "different potential defences" against claims made by "different members of the class".

Pinsent Masons, the law firm behind Out-Law.com, acted for Google in the case.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.