Latest News Events Insights Recent Deals Blog Awards of Damages for Data Protection Breaches – UK and Irish Approaches Contrasted

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.mhc.ie/latest/blog/awards-of-damages-for-data-protection-breaches-uk-and-irish-approaches-contrasted

The recent ruling of the UK Court of Appeal in Google v Vidal-Hall is
another divergence in the approach of the UK and Irish courts to data
protection. The decision in Vidal-Hall means that, in the UK, damages may
be granted even where there is no financial loss to the individual making
the claim. The Court of Appeal also confirmed the existence of the tort
(civil wrong) of misuse of private information. This judgment is in
contrast to the established Irish position in Collins v FBD Insurance,
which restricts damage to actual loss only. While the Irish courts may in
future decide to follow the UK approach, the current Irish approach is more
restrictive. In short, it is now easier to obtain compensation for breaches
of data protection rights in the UK than in Ireland.

The Irish position

In Collins v FBD Insurance, the Irish High Court considered the granting of
damages for various breaches of the Data Protection Acts 1988 and 2003 (the
“DPA”). The core issue was whether Mr Collins was entitled, under Section 7
of the DPA, to compensation in the absence of any damage, including special
damage (such as loss of earnings, property damage and medical expenses),
being proven.

Section 7 provides that “a data controller or a data processor, shall, so
far as regards the collection by him of personal data … or his dealing with
such data” owe a duty of care to affected individuals. The Court accepted
that Section 7 provides for a remedy for breach of the DPA under the law of
torts. The key question was whether proof of damage, suffered by Mr
Collins, was a necessary pre-condition to an award of damages. Having
regard to the provisions of the Data Protection Directive (the
“Directive”), the judge determined that Article 23 of the Directive
provides an entitlement to compensation. However, this entitlement is
subject to proof that the plaintiff has actually suffered damage.

Mr Justice Feeney reasoned that Section 7 does not provide for strict
liability or automatic payment of compensation. Instead, it limits
compensation to the existence of a duty of care within the ordinary law of
torts. Mr Justice Feeney concluded that for the duty to extend to the
payment of damages, without proof of damage or loss, would go beyond the
intention of the Irish parliament.

The UK position post Vidal-Hall

The three claimants in this case complained that Google used cookies to
collect private information about their internet usage via their Apple
Safari browser without their knowledge or consent. This information was
allegedly used by Google as part of their commercial offerings to
advertisers.

The claimants contended that this amounted to a misuse of their private
information, a breach of confidence and a breach of the Data Protection Act
1998 (“UK DPA”). They sought compensation under Section 13 of the UK DPA
for damage and distress but made no claim for financial loss.

Although Google tried to rely on the decision in Collins v FBD, this was
rejected by the Court. In contrast to the Irish High Court, the UK Court of
Appeal found that proof of financial loss is not required. In contrast to
Collins v FBD, the UK Court of Appeal felt that Article 23 of the Directive
should be given its natural and wide meaning - to include both material and
non-material damage. The Court found that since the Directive aims to
protect privacy, rather than economic rights, it would be strange not to
compensate individuals whose privacy had been invaded so as to cause
emotional distress, if not financial loss. The Court determined that the
provisions of the UK DPA which required that the individual must “also
suffer damage”, should be dis-applied as it is inconsistent with EU law.

The Court of Appeal also took the opportunity to confirm that misuse of
private information should be recognised as a distinct tort.

Comment

The case is currently being appealed to the UK Supreme Court, so the final
outcome may change depending on the appeal. It is also possible that the
Supreme Court may submit questions to the Court of Justice of the European
Union, given that Article 23 of the Directive is central to the claim.

The impact in Ireland is interesting. At present, it suggests that it is
easier for a plaintiff to successfully claim compensation in the UK Courts
than before the Irish Courts for data protection claims. Whether the Irish
Courts might choose to follow the UK approach in the future remains to be
seen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!