Awards of Damages for Data Protection Breaches – UK and Irish Approaches Contrasted
10 September 2015
The recent ruling of the UK Court of Appeal in Google v Vidal-Hall is another divergence in the approach of the UK and Irish courts to data protection. The decision in Vidal-Hall means that, in the UK, damages may be granted even where there is no financial loss to the individual making the claim. The Court of Appeal also confirmed the existence of the tort (civil wrong) of misuse of private information. This judgment is in contrast to the established Irish position in Collins v FBD Insurance, which restricts damage to actual loss only. While the Irish courts may in future decide to follow the UK approach, the current Irish approach is more restrictive. In short, it is now easier to obtain compensation for breaches of data protection rights in the UK than in Ireland.
The Irish position
In Collins v FBD Insurance, the Irish High Court considered the granting of damages for various breaches of the Data Protection Acts 1988 and 2003 (the “DPA”). The core issue was whether Mr Collins was entitled, under Section 7 of the DPA, to compensation in the absence of any damage, including special damage (such as loss of earnings, property damage and medical expenses), being proven.
Section 7 provides that “a data controller or a data processor, shall, so far as regards the collection by him of personal data … or his dealing with such data” owe a duty of care to affected individuals. The Court accepted that Section 7 provides for a remedy for breach of the DPA under the law of torts. The key question was whether proof of damage, suffered by Mr Collins, was a necessary pre-condition to an award of damages. Having regard to the provisions of the Data Protection Directive (the “Directive”), the judge determined that Article 23 of the Directive provides an entitlement to compensation. However, this entitlement is subject to proof that the plaintiff has actually suffered damage.
Mr Justice Feeney reasoned that Section 7 does not provide for strict liability or automatic payment of compensation. Instead, it limits compensation to the existence of a duty of care within the ordinary law of torts. Mr Justice Feeney concluded that for the duty to extend to the payment of damages, without proof of damage or loss, would go beyond the intention of the Irish parliament.
The UK position post Vidal-Hall
The three claimants in this case complained that Google used cookies to collect private information about their internet usage via their Apple Safari browser without their knowledge or consent. This information was allegedly used by Google as part of their commercial offerings to advertisers.
The claimants contended that this amounted to a misuse of their private information, a breach of confidence and a breach of the Data Protection Act 1998 (“UK DPA”). They sought compensation under Section 13 of the UK DPA for damage and distress but made no claim for financial loss.
Although Google tried to rely on the decision in Collins v FBD, this was rejected by the Court. In contrast to the Irish High Court, the UK Court of Appeal found that proof of financial loss is not required. In contrast to Collins v FBD, the UK Court of Appeal felt that Article 23 of the Directive should be given its natural and wide meaning - to include both material and non-material damage. The Court found that since the Directive aims to protect privacy, rather than economic rights, it would be strange not to compensate individuals whose privacy had been invaded so as to cause emotional distress, if not financial loss. The Court determined that the provisions of the UK DPA which required that the individual must “also suffer damage”, should be dis-applied as it is inconsistent with EU law.
The Court of Appeal also took the opportunity to confirm that misuse of private information should be recognised as a distinct tort.
The case is currently being appealed to the UK Supreme Court, so the final outcome may change depending on the appeal. It is also possible that the Supreme Court may submit questions to the Court of Justice of the European Union, given that Article 23 of the Directive is central to the claim.
The impact in Ireland is interesting. At present, it suggests that it is easier for a plaintiff to successfully claim compensation in the UK Courts than before the Irish Courts for data protection claims. Whether the Irish Courts might choose to follow the UK approach in the future remains to be seen.
More on mhc.ie:
The content of this article is provided for information purposes only and does not constitute legal or other advice.