Data Breach – Compensation and Class Actions
The European General Data Protection Regulation (“GDPR”) has been in force for five years, and claims for compensation across Europe are ironing out procedural uncertainties and making incremental progress towards an effective private enforcement regime for data breach claims. In the UK, post the Supreme Court’s decision in Lloyd v Google LLC [2021] UKSC 50, there are renewed attempts to bring data breach claims on a class-wide basis.
Austrian Post case
The protection of personal data is a fundamental freedom under EU law. Compensation is payable to individuals who suffer material or non-material damage as a result of unlawful processing of their personal information. The terms material and non-material are free-standing concepts under EU law and cover a wide range of potential harms including discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality of information such as medical records or legal advice, or other kinds of economic or social disadvantage.
A recent case before the European Court focusing on non-material damage has confirmed that there is no threshold of seriousness that needs to be reached under EU law.
The EU’s General Court decided questions referred by an Austrian court that was seeking clarification of the meaning of non-material damage (Österreichische Post AG Case C-300/21). The facts of the case concerned information that was collected about the Austrian population’s political affinities using an algorithm taking into account various social and demographic criteria. The data was sold to businesses for the purpose of targeted advertising. The Austrian Post Office had processed data which, by way of statistical extrapolation, had led it to infer that an individual had an affinity with a political party – the far-right Freedom Party.
The individual (perhaps understandably) felt greatly aggrieved by the drawing of this inference, causing them upset and a feeling of exposure. He sought an injunction to prevent the Austrian Post from holding the data and EUR 1,000 in compensation for non-material damage reflecting the degree of upset he had felt.
The Austrian courts granted the injunction but did not grant compensation on the basis that the non-material damage had not reached a “threshold of seriousness”. The EU General Court disagreed and ruled that, whilst it had to be shown that the breach of GDPR had caused damage, and it could not be automatically assumed that damage was suffered for every infringement, there was no minimum threshold of seriousness test that had to be met by a claimant.
The General Court emphasised that non-material damage was an autonomous concept under EU law which should not be limited by domestic rules. Compensation under GDPR had to be full and effective. This does not mean that every negative consequence or hurt feeling will amount to non-material damage, but the judgment offers encouragement to the claimant here who many people might consider could feel very upset at being wrongly ascribed political affiliations via a statistical analysis. The case will now return to the Austrian domestic courts to reconsider the issues in light of the General Court’s guidance. If non-material damage has been suffered, the domestic court will go on to assess the level of compensation payable.
UK class action against Google in relation to access to NHS health records
Another feature of the data breach litigation landscape has been attempts by groups of individuals to bring their claims together in one set of proceedings as an efficient class action procedure. The costs of litigating a single claim worth a relatively low amount are prohibitive. With an active third party litigation funder market in the UK, a group claim of many thousands of individuals has an aggregate value which will attract investment and provide the resources needed to take on the tech-giants and hold them to account.
In the case of Andrew Prismall v Google UK Limited and Others [2023] EWHC 1169 (KB), damages were sought on behalf of approximately 1.6 million individuals due to the unlawful processing of their health records. The claim was brought as a representative action and a claim in tort for misuse of private information. The harm suffered was the loss of control over the data which the court accepted was itself a form of damage for which compensation could in principle be recovered.
It was not in dispute that the information passed to Google by an NHS Trust included many highly confidential personal health records. As a way of getting round the need for an individual assessment of damage, the claim was brought for a lowest common denominator level of damage for each member of the class. What this means is compensation by reference to an irreducible minimum harm suffered by all the members of the class. However, in contrast to the General Court’s finding in the Austrian Post case, the English High Court ruled that there was a de minimis threshold of seriousness that had to be met by each member of the class to establish that they had all suffered more than a trivial level of harm.
The claim failed because on the facts the lowest common denominator case was one that did not meet the threshold of seriousness. There were likely to be certain individuals in the class in relation to which very limited information was transferred or stored, and, although health related, it was anodyne in nature, it was held securely buy Google and was not accessed by anyone and the information was already in the public domain. The transfer of the data to its secure storage for up to 12 months caused no impact other than the loss of control itself.
Although the claim did not succeed on its own facts, the case does helpfully confirm that an individual assessment of damage is not essential to recover damages for loss of control of personal information.
Future data breach class actions will rely on this decision and there is now a clearer route for class actions to succeed in the UK where each member of the class has suffered more than a trivial level of loss.
These two cases illustrate some differences in approach emerging between the UK and the EU in this developing area of law. With the ever-increasing demand for personal information to drive business growth and innovation, there is an urgent need for data protection laws to provide cost effective remedies. Watch this space.
To read the full article
The full article was first published by Law.com on 23rd June 2023.