Will Class Actions Lead to a Privacy Compensation Culture in the United Kingdom?

The UK Data Protection Act 1998 is subject to twin track enforcement through regulatory action by the Information Commissioner and private actions for statutory compensation. Whilst the Information Commissioner has significantly increased his enforcement activities over the past few years, private actions remain rare.

Among the reasons for this reluctance may be the difficulty in claiming compensation for distress, and the fact that, taken individually, these claims are unlikely to be particularly significant.

This article considers if this position will change following the UK Court of Appeal’s recent decision in Halliday v Creation Consumer Finance [2013] EWCA Civ 333 and the threatened UK class action against Google.

Barriers to Claims for Distress

One of the barriers to a claim for compensation under the Data Protection Act 1998 is that compensation for distress is allowed only if the claimant has also suffered damage or the processing is for the so-called special purposes (i.e., journalistic, literary or artistic purposes).

The need to show damage as a gateway to distress has led to a number of curious decisions in the courts, as claimants have gone to great lengths to establish some form of pecuniary loss in order to open the way for a claim of distress. Perhaps the best example is Johnson v The Medical Defence Union [2007] EWCA Civ 262, in which the Court of Appeal had to consider if Mr Johnson had, in fact, spent £10.50 on an extra breakfast as a result of an alleged breach of the Data Protection Act 1998, that damage being the gateway to his claim for a further £5,000 in distress.

Nominal Damages as a Gateway to Compensation for Distress

This issue arose again in Halliday. Mr Halliday bought a television set using financing provided by Creation, but a dispute arose between them. Creation mistakenly updated Mr Halliday’s credit record to state that he owed them £1,500. The entry was made in February 2008, but Mr Halliday did not become aware of it until May 2008, and the entry was not removed until October 2008.

Mr Halliday sought compensation from Creation for breach of the Data Protection Act 1998. However, the court found that the incorrect entry had not caused Mr Halliday any pecuniary damage and, moreover, there was no damage to his reputation or credit. Therefore, the main thrust of Mr Halliday’s claim was for distress.

In a somewhat surprising decision, rendered March 15, 2013, the Court of Appeal upheld his claim, the two key points in the judgment being that:

• Nominal damages of £1 should be awarded to Mr Halliday for Creation’s breach of the Data Protection Act 1998, and these nominal damages provided a gateway allowing Mr Halliday to also claim for distress; and

• Mr Halliday should be awarded £750 for his distress, despite the fact that the breach was of a limited nature and for a limited period, was the result of a single error and did not lead to any loss of credit or reputation. In particular, Arden LJ stated that “as a general principle … where an important European instrument such as data protection has not been complied with, there ought to be an award”.

However, it is important to note the limitations on this judgment. In particular, Creation had conceded that nominal damages would enable Halliday to obtain compensation for distress, and therefore this issue was not before the court. As Lloyd LJ put it: “we therefore do not have to determine, and we cannot determine, that arguably interesting point of law”. The lack of any binding precedent means that this point will have to be argued again at a future date, including the question of whether such a liberal approach is compatible with the intent of the compensation provisions in the Data Protection Act 1998.

It is also not clear how thoroughly these issues were explored before the Court of Appeal. Mr Halliday appeared in person, and Creation does not appear to have defended his claim with any great vigour, as perhaps evidenced by its concession above. This may have led to the court’s assertion that it was not aware of any authority that deals with this type of compensation claim (despite the fact that one member of the court gave the dissenting judgment in Johnson).

Notwithstanding these limitations, the judgment in Halliday could have important consequences for the proposed class action against Google.

Proposed Class Action Against Google

One of the many privacy issues Google is currently grappling with is a potential class action by users of the Safari web browser. The Safari browser has default settings that protect its users’ privacy by rejecting certain third party cookies, those third party cookies commonly being used for behavioural advertising and other tracking purposes.

However, Google managed to circumvent these default settings and still set advertising third party cookies on the computers of persons using the Safari browser. Google claimed that this was unintentional, and it took steps to remove those cookies as soon as it became aware of the issue. However, Google still faced regulatory action, including a U.S.$22.5 million fine imposed by the U.S. Federal Trade Commission (see WDPR, August 2012, page 18).

In addition to regulatory action, Google also faces civil claims, including a threatened class action in the United Kingdom for computer misuse and trespass, and breach of confidence, privacy and the Data Protection Act 1998.

Comparator Actions

The threatened class action for compensation under the Data Protection Act 1998 is interesting, as it could overcome the problem that, taken individually, these claims are unlikely to be particularly significant or worthwhile litigating, whereas a combined claim might be worthwhile, given the large number of individuals affected — as many as 10 million users in the United Kingdom could have been affected by this breach.

Despite significant press coverage in the United Kingdom, details of the proposed action are very scant, and the only significant step taken to date appears to be that a letter before action was served on Google UK and Google U.S. in January 2013 on behalf of 12 claimants.

However, there are, on the face of it, a number of very significant challenges to the action, and a good way to assess them is to compare this possible action with similar actions brought in the United Kingdom.

A good useful comparator is the successful collective action brought by the consumer body Which? against JJB Sports after the latter was found guilty of price-fixing the retail price of replica football shirts. This action was launched in the UK Competition Appeals Tribunal (1078/7/9/07), although the parties reached agreement to settle the claim. See the table below.

Next Steps for Class Actions

Despite obtaining a successful settlement against JJB Sports, Which? has not shown any further interest in bringing collective actions. In particular, the number of claimants opting into the action was “very low considering the degree of publicity, the amount of resources … spent and the external legal costs”.

In the short term, the threatened class action against Google could face similar problems in attracting sufficient claimants, which might prevent it from progressing. However, if a claim is brought, the Halliday case could have a significant effect on class actions, including the case against Google.

For example, as is the case in many privacy breaches, it is not clear that any of the Google claimants have actually suffered any monetary damage, so the bulk, if not all, of their claim will be for distress. The Data Protection Act 1998 does not normally allow compensation for distress alone, so the suggestion in Halliday that nominal damages can justify a claim for distress could provide a way to circumvent this rule.

Similarly, it is hard to see why the Google claimants would have suffered any real distress as a result of Google’s actions. However, the lack of any significant distress did not deter the Court of Appeal from awarding £750 to Mr Halliday, reflecting, in part, the court’s desire to take action following the breach of “an important European instrument such as data protection”. An award of £750 may be a poor return after taking a case all the way to the Court of Appeal, but it is a much more attractive proposition if action is taken by multiple claimants or the case is pursued through a lower cost route, such as the small claims court.

Procedural changes may also make class actions more attractive in the longer term. The European Commission’s proposed General Data Protection Regulation to replace the EU Data Protection Directive (95/46/EC) contains express provisions allowing consumer and privacy groups to bring actions on behalf of one or more data subjects¹. This is coupled with other European Union proposals to introduce collective redress measures, such as the European Commission’s long awaited collective redress initiative, although this is likely to take the form of a recommendation and still advocate an “opt-in” approach.

In any event, the last few years have seen a significant increase in regulatory enforcement of data protection laws, and it will be interesting to see if these recent developments mark a similar increase in private enforcement.

Peter Church is an Associate with Linklaters LLP, London, and a member of the World Data Protection Report Editorial Board. He may be contacted at peter.church@linklaters.com.