Data Protection – New Rights for the Data Owner. New Risks for the Data Controller.
There is notice this week of a Judgment in the Court of Appeal which seems to me to be very important. I have not seen very much mention about it in the Press or even in specialist Legal Magazines but I think that will change.
The link is here .
It is an unsuccessful appeal by Google on a preliminary question which is – Does a Data Controller risk paying money compensation for mis-using Data even if the misuse causes only Mental Distress and not any Money Loss?
The ruling relates to the powers of the Courts to punish Data Controllers.
The Data Protection Act has been in force for many years and it states that where Data is misused by persons who should control it (in this case Google) then compensation can be ordered for “Damage” suffered.
But what is “Damage”? The Law has always been understood to mean that it is only actual money lost that should be compensated. So if a Data Protection breach can be shown to have caused lost contracts or a dismissal from employment, which are losses that can be valued in money terms, then the order could be made.
But for hurt feelings? For the hard-to-define “Distress”? Section 13(2) of the Act said No.
Well, it used to say that, until last month!
Now the Court of Appeal has said, “Wrong – the English Law has not been listening to Europe”.
The relevant EU directive is
“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”
Well, it’s that word again. “Damage” But in Europe, the word means something else.
So the Court is saying, “in England we understand “Damage” to mean, quantifiable money loss. In Europe, the word may have a wider meaning, and, if it does, then that wider meaning should be applied.”
This is another example of the now accepted legal proposition that a term used in European Law may well not have, or be intended to have, the meaning that it has in England. And that the meaning which was intended, is the meaning which it has.
[It is many years since Lord Atkins complained (in 1942) that this is a method of legal construction which follows only the authority of Humpty Dumpty*]
The Judge went on “In view of the fact that the Directive employs the term ‘Damage’ in a general sense without any restrictive connotation, it must be inferred – and on this point I find myself in agreement with the observations of the Commission and the Belgian Government – that the concept should be interpreted widely, that is to say in favour of the argument that, at least in principle, the scope of the Directive was intended to cover all types of damage which have any causal link with the non-performance or improper performance of the contract.”
The Court has found that s13 (2) is incompatible with the Law of Europe and as such has refused to apply it.
Does it matter? I think so. Because now, you do not have to show what money you have lost if your data has been misused. You don’t have to have lost any. It is sufficient to have been “distressed”. And, no doubt, the law will tell us what that word means in due course!
What to do? If you have been distressed because your data has been misused, see your Lawyer and join the queue.
Or, if you personally or in your Business are a Data Controller registered (or who ought to be registered!) with the ICO, the extent of your responsibility and risk has just got much, much, worse.
Go back to basics, review your Data Protection Compliance. Learn about the new European Data Protection Regulation coming at you.
*”When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean, neither more nor less.” “The question is,” said Alice, “whether you can make words mean so many different things.” “The question is,” said Humpty Dumpty, “which is to be the master, that’s all.”
Please do contact me whenever you need Notarial Certification or Legalisation – at http://www.atkinsonnotary.com or phone me on 0113 816 0116 (internationally 0044 113 8160116)