Sadly, this is not an article about pay outs resulting from inadequate biscuits, although we had many volunteers to take part in a taste testing pilot scheme. It is rather about the potential for claims under data protection legislation for compensation for breaches.
We are seeing a growing trend in alleged breaches related to automated data collection technologies, such as cookies, giving rise to claim letters from website visitors.
Two trends in particular are great concern to businesses. The first is the emergence of enterprising claims farmers: individuals who invest their time identifying websites that are not compliant with the law on cookies and firing off a standard claims letter, citing ‘distress’ and requesting damages. The second is the ‘no-win-no-fee’ offering of law firms (who will usually also provide after-the-event insurance costs against adverse costs – thereby giving claimants a ‘free hit’) to launch data claims, often over spurious or trivial technical breaches. They advertise online using advanced SEO techniques to attract hundreds of clients searching for phrases like ‘data breach compensation’. The new ambulance chasing for the digital world, perhaps?
In brief, Article 82(1) of the retained UK law version of the General Data Protection Regulations (UKGDPR) specifies that compensation can be payable for a breach of the UKGDPR. Article 82(1) states: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’.
Under the Data Protection Act 2018, non-material damage includes distress. In terms of historic claims (arising prior to UKGDPR), the wording of Article 82 of UKGDPR is reasonably similar to section 13 of the Data Protection Act 1998. Therefore, whilst decisions related to the 1998 Act are not binding in respect of UKGDPR and/or the 2018 Act, they are likely to be considered a good indication of future decisions and interpretation of the newer legislation.
So what does this have to do with cookies? Cookies are commonplace and are used on the majority of websites. They serve a variety of purposes but typically collect and store data about the website users’ actions, usage and/or preferences. Use of cookies is predominantly governed by The Privacy and Electronic Communications (EC Directive) Regulations 2003. This, broadly speaking, requires user consent for cookies to be set by a website. Cookies often collect personal data and therefore their use, and the collection/processing of any personal data they collect, is also subject to UKGDPR and the 2018 Act. Therefore, the compensation provision in UKGDPR can apply to breaches regarding cookies. Data processors and controllers should also have in mind their other obligations under UKGDPR and the 2018 Act as failure to comply with these could also lead to a claim for compensation.
The question is, and has been for a long time, what is necessary beyond a ‘breach’ for a compensation claim to succeed. This key point arises from the basic principle that under UK law, compensation (or damages) for this sort of breach are intended to put the injured party in a position as if there had been no breach. In terms of data protection breaches, that is a hard assessment to make as it is unlikely there will be a defined financial loss in most cases.
In Lloyd v Google LLC [2021] UKSC 50, the Supreme Court recently gave guidance on claims for compensation under the 1998 Act. The case was predominately about the potential for mass representative claims for data protection breaches, but as part of its ruling the Supreme Court addressed some points on compensation claims.
The Supreme Court determined that not every affected individual can claim for loss of control of their data without some identifiable material damage, or the individual having suffered distress. Whilst this case relates to the 1998 Act, we consider it a good indication of how such issues may be viewed under the newer legislation.
So, in instances of a trivial, or potentially even non-trivial breaches, it is important to ask potential claimants for details of the precise damage they claim they have suffered. As to claims for distress, this will take a more individualised approach, but it is still key to keep in mind the nature of the breach and data involved.
Whilst in an ideal world your business will have a perfect compliance record and not commit any breaches of data protection legislation, compliance is an ongoing obligation and the way in which businesses operate naturally changes over time. The key is to keep your business practices, policies and procedures under regular review with data protection in mind, and to keep a record of the steps taken achieve compliance. If your business has the misfortune of receiving a letter setting out an alleged claim for compensation, consider carefully whether there has been a breach and, if so, the nature and extent of that breach and what harm it could have caused the individual.
For further information, or if you wish to discuss the issues surrounding cookies,
data protection and potential compensation claims, contact James Howarth on 01908 872207,
email James.Howarth@howespercival.com or Stephen Ruse on 01604 258064
or email Stephen.Ruse@howespercival.com
James Howarth
