Compensation and the ‘law of everything’: why data protection isn’t the new PPI

Data protection is seldom out of the headlines these days. Whether its massive data breaches involving multinational companies or members of the royal family suing national newspapers.

Even the legality of your Ring doorbell provides a data protection angle to many news stories.

Maybe this isn’t so surprising. The modern world increasingly runs on the fuel of personal information. From our weekly shop, to our music and television consumption, personalisation is at the heart of our increasingly connected society. There are huge benefits from this trend, both for us as consumers and for the companies who collect our information. But there are also risks, particularly where companies misuse our data or allow it to fall into the wrong hands.

Data protection law is intended to give us as individuals rights over how our data is used, and to impose obligations on organisations that process that data. As the trends towards increased data collection and personalisation grow, some commentators have warned that soon all information will be personal, and therefore data protection will evolve into a ‘law of everything’, applying in all sorts of unintended situations. Given the complexities of data protection law, this would be unworkable and ultimately not give the protection that the law is intended to provide.

One of the key rights within data protection law is to give individuals the right to claim compensation for damage or distress caused by any breach of the legislation. This is obviously an important protection for individuals. But if data protection applies to (almost) everything, then individuals may use this right to sue whenever anything goes wrong, even if it is only tangentially related to data protection. Claimants, and some legal advisors, have sought to take advantage of this, leading to an apparent increase in legal claims citing data protection.

Fortunately, that trend may be checked by a series of significant court judgments in recent weeks. The most high profile was that of Lloyd v Google, which was heard in the UK’s Supreme Court. Google successfully argued that a proposed class action claim on behalf of up to 4 million iPhone users should not be continued. The judgment reiterated that compensation was only payable where an individual could show that they had suffered material damage or distress as a result of a breach of data protection law. It was not enough that there was a mere loss of control of personal data. This is likely to deter some of the more spurious claims, and the emphasis on individual consequences also makes the prospect of large-scale representative actions much less likely.

In Rolfe v Veale Wasbrough Vizards LLP, the defendant firm of solicitors had sent an email containing personal information about the claimants to the wrong address in error. The issue was discovered quickly and the information deleted. The claimants nevertheless sued for damages. The case was dismissed and the claimants ordered to pay costs, with the judge commenting that, “In the modern world it is not appropriate for a party to claim … for breaches of this sort which are, frankly, trivial”.

Johnson v Eastlight Community Homes is another recent High Court case involving similar facts. In this case, the defendant housing association sent an email containing personal information of the claimant to another person. Again, the issue was discovered and the information deleted. The claimant sought damages and other remedies, alleging distress caused by her personal information, including her address, being disclosed. The claim was issued in the High Court and the claimant’s solicitors confirmed that they had already incurred costs of £15,000, which they expected to rise to over £50,000. However, the value of the claim was stated to be no more than £3,000. The judge was highly critical of the claimant for bringing what appears to be a relatively trivial case before the High Court, stating “… the real point in this case is whether the Claimant’s entitlement is to purely nominal or instead extremely low damages. It is never going to be much more, a point that surely was [or ought to have been] obvious to the Claimant and her advisors from the outset.” The judge ordered the case to be transferred to the County Court. The significance of this decision is that legal costs cannot usually be recovered in the County Court. Future potential claimants and law firms are likely to be reluctant to take on claims where costs are not recoverable.

Taken together, these cases show that the courts are unwilling to adopt a strict compensatory regime for data protection claims. Instead, they are putting the onus on claimants to demonstrate the specific damage or distress caused in each case, which can often be difficult in data protection cases. And they are prepared to dismiss cases where there is no obvious damage caused.

All of this should be good news. As data protection law continues to expand, breaches are inevitable. It is absolutely right that, where breaches cause damage or distress, those individuals have the right to claim compensation. However, not all breaches will cause damage and, in any case, the law is not intended to allow individuals (or, more pertinently, litigation funders and claimant solicitors) to profit from every breach. As Lord Leggatt puts it in Lloyd v Google, the object of this compensatory principle is “… putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred.”

Published in Business Matters – 22 November 2021