Today, data protection is rarely out of the headlines. Whether its massive data breaches involve multinational companies, members of the royal family suing national newspapers.
Even the legitimacy of your Ring doorbell provides a data protection angle for many news stories.
Perhaps this is not so surprising. The modern world increasingly runs on the fuel of personal information. From our weekly store, to our music and television consumption, personalization is at the heart of our increasingly connected society. There are huge benefits to this trend, both for us as consumers and for the companies that collect our information. But there are also risks, especially when companies misuse our data or let it fall into the wrong hands.
Data protection laws are intended to give us as individuals rights over how our data is used and impose obligations on organizations that process such data. As the trend towards increased data collection and personalization grows, some commentators have warned that all information will soon become personal information and thus data protection will evolve into the ‘law of everything’, applicable in all unintended situations. Due to the complexity of data protection legislation, this would not be feasible and would ultimately not provide the protection the law is intended to provide.
One of the key rights in data protection law is to grant individuals the right to claim damages or hardship resulting from any violation of the law. This is clearly an important safeguard for individuals. But if data protection applies to (almost) everything, individuals can use this right to sue whenever there is a problem, even if it is directly related to data protection. Whether. Complainants, and some legal counsel, have sought to take advantage of this, leading to an apparent increase in legal claims citing data protection.
Fortunately, that trend can be tested by a series of important court rulings in recent weeks. The highest profile is Lloyd v Google, which was tried in the Supreme Court of Great Britain. Google has successfully argued that the proposed class action complaint on behalf of 4 million iPhone users should not continue. The ruling reiterates that compensation is only paid when an individual can prove that they have suffered material harm or suffering as a result of a data protection law violation. Just losing control of personal data is not enough. This is likely to discourage some more false claims, and the emphasis on individual consequences also makes the likelihood of large-scale representative actions much less likely.
In Rolfe v Veale Wasbrough Vizards LLP, the defendant’s law firm sent an email containing personal information about the plaintiffs to the wrong address. The problem was discovered quickly and the information was deleted. However, the claimants sued for damages. The suit was dismissed and the claimants demanded to pay the costs, with the judge commenting that, “In the modern world, it is not appropriate for a party to claim … for those Violations of this kind are, frankly, trivial.”
Johnson v Eastlight Community Homes is another recent Supreme Court case involving similar circumstances. In this case, the respondent housing association sent an email containing the plaintiff’s personal information to another person. Again, the problem was discovered and the information removed. The claimant has sought damages and other remedies, alleging that her personal information, including her address, was leaked. The suit was brought in the High Court and the plaintiffs’ lawyers confirmed they had incurred costs of £15,000, which they expected to rise to more than £50,000. However, the value of the claim should not exceed £3,000. The judge was very critical of the plaintiff for bringing what appeared to be a relatively trivial case before the High Court, stating “… the real point in this case is whether the Plaintiff’s right is entirely the case. nominal damage or instead extremely low damage. It will never be more, a point that is for sure [or ought to have been] clear to the Claimant and her advisors from the outset. ” The judge ordered the case to be referred to the District Court. The implication of this decision is that legal costs generally cannot be recovered in the District Court. Claimants and law firms potential future reluctance to accept claims the cost of which cannot be recovered.
Taken together, these cases suggest that the courts are reluctant to impose a strict compensation regime for data protection claims. Instead, they are making it difficult for claimants to prove the specific damage or hardship caused in each case, which can often be difficult in data protection cases. And they’re prepared to fire cases where there’s no obvious harm done.
All of this will be good news. As data protection laws continue to expand, breaches are inevitable. It is absolutely true that when a violation causes damage or an accident, those individuals have the right to claim compensation. However, not all violations will result in damage, and in all cases, the law is not intended to allow individuals (or more appropriately, litigation sponsors and lovers to claim) profit from any breach. As Lord Leggatt put it in Lloyd v Google, the goal of this indemnity principle is “… to put the claimant – as an individual – in the same position, as best as possible. do it, as if the wrong thing hadn’t happened yet.”
Jon Belcher
Jon Belcher is an attorney specializing in data protection and information governance at Excello Law.
