Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress. The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.
The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82. The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated. Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”
A Data Subject is not limited to claiming compensation from the controller. The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”
Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test. No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.” The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.
The terms of Article 82(3) create joint and several liability for controllers and processors. In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them). Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”
Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.
The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered. Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions. There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high. For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7. That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.
The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union. Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.
In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998). In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court. However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.
Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.
If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123. Alternatively, you can send him an E-mail.