The world of privacy and data protection has been as busy as ever. December 2019 saw the Information Commissioner's Office (ICO) impose its first fine following the introduction of the Data Protection Act 2018 (DPA), when it fined London-based pharmacy Doorstep Dispensaree Ltd £275,000 for failing to ensure the security of personal data. The ICO has also indicated proposed fines against other organisations that run into the tens and hundreds of millions of pounds.
This, coupled with a string of recent high profile data breaches and leaks, has led to an increased public awareness in the nature and amount of personal information held and processed by organisations, and possible causes of action if something goes wrong.
However, whilst the potential regulatory fines can certainly be very significant, how much are civil claims brought against organisations by individuals in these scenarios really worth?
Unlawful disclosure of personal data can give rise to several different claims including:
Generally it is possible for individuals to bring claims even if they have not suffered any financial loss, as damages can be sought for damage to reputation, distress, infringement of a privacy/data right, and/or for loss of control of private information. However, this does not necessarily translate into a high value claim.
This is a relatively new area of law and the majority of cases that have been reported were decided before the DPA came into force. However the principles in those cases remain relevant and useful for organisations facing similar claims now.
Most people are aware of the high profile cases involving well known individuals and celebrities, where significant damages were awarded.
One of the main phone hacking cases was Gulati v MGN Newspapers, in which eight high profile individuals brought claims that resulted in damages awards of between £72,500 and £260,250. However, the facts of the phone hacking cases are exceptional, involving repeated invasions of privacy and/or widespread use of the private information obtained, over a prolonged period (in some cases, over several years).
In Sir Cliff Richard v BBC, Sir Cliff Richard was awarded damages of £210,000 for a breach of his right to privacy and misuse of his private information, and breach of the Data Protection Act 1998 (as it then was). £190,000 of this was said to be attributable to the breach itself and reflected, among other things, reputational damage suffered as a result of the breach. The additional £20,000 was to reflect the BBC's decision to submit its coverage for an award. Again, the court acknowledged that the award was exceptionally high and very specific to the facts of the case.
However the court has given some general guidance on the factors that may be taken into account when awarding damages in privacy cases, including:
The court has also suggested that the amount of damages awarded for distress in privacy claims should be commensurate (or at least not disproportionate) to damages awarded in personal injury claims.
In Grinyer v Plymouth Hospitals NHS Trust (a case heard before Gulati), a patient brought a claim against a NHS trust after his ex-girlfriend - a nurse - had improperly accessed his medical records over a period of four and a half years whilst working at a hospital. He was awarded £12,500.
In TLT and others v The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them - including their names, ages and immigration status - was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later. They were awarded damages of between £2,500 and £12,500 each.
In Ali & Aslam v Channel 5 Broadcast Limited, the eviction of the claimants from their home was filmed for the television programme Can't Pay? We'll Take It Away. It was broadcast 36 times to around 9.65 million viewers. The court accepted that the programme involved the disclosure of personal information (being the eviction), which was "fairly" sensitive, and awarded £10,000 to each claimant.
Although these sums are not insignificant, they are much lower than the headline awards made in the high profile 'celebrity' cases. The comparison with these is particularly stark when noting that some of the asylum seekers in TLT genuinely feared for their lives as a result of the disclosure.
In October last year the Court of Appeal handed down its judgment in Lloyd v Google LLC, which made clear that compensation could be awarded for breaches of data protection legislation that led to 'loss of control' of personal data, even if no distress or material damage had been caused to the claimant. There was a concern that this might lead to a barrage of claims against organisations involved in inadvertent data breaches, where the personal information in question may have been relatively 'low key' and so unlikely to cause significant damage (such as names and addresses) but individuals affected could still seek compensation. In reality there are still a number of reasons why these kinds of claims are unlikely to succeed or, if they do, be worth anywhere near the awards made in the 'celebrity' cases.
While this is still a developing area of law, it appears that if a data/privacy breach is a one-off event, civil liability in damages is likely to be limited.
The reputational and regulatory consequences of a privacy/data breach can be significant. Whilst it is unlikely to be possible to completely avoid a breach from ever taking place, it is vital that you have appropriate procedures and training in place to mitigate against the risk of a breach happening. If a breach does occur in your organisation, you should act quickly to identify its extent and take steps to mitigate it. Timely, effective and appropriately toned communication with those involved - as well as with any regulators (including the ICO) - will be important, and should ideally be done with input from your insurers at an early stage.