The General Data Protection Regulation (2016/679) (“EU GDPR”) allows individuals to seek compensation for “non-material” damages, such as distress or anxiety, where this results from an infringement of an organization’s legal obligations under the regulation.
Adopted in May 2018, the EU GDPR remained in effect within the UK until January 1 2021, leading to the UK, after Brexit, adopting its own sovereign data privacy regime. The United Kingdom General Data Protection Regulation (“UK GDPR”) acts as the “retained law” version of the EU GDPR. It guarantees the same rights to compensation in respect of non-material damages. While nearly identical to its European predecessor (for now), the UK’s newfound independence allows it to keep the framework under review and amend the law as it sees fit.
The European Approach to Non-Material Damages Claims
Domestic courts throughout Europe have favored different approaches to the question of when an entitlement to compensation arises (and whether a threshold of sufficient “damage” should be satisfied) in order for a non-material damages claim to succeed.
The lack of clarity on the approach to be taken and whether a threshold of damage must be met led the Austrian Supreme Court in April 2021 to refer critical questions on the issue to the Court of Justice of the European Union (“CJEU”). The court’s ruling is keenly awaited. Post-Brexit, UK courts are not bound by CJEU decisions, though they may continue to regard the CJEU’s position when interpreting the UK GDPR.
The UK Position
The UK has also seen cases of this kind. In June this year, the fitness chain Total Fitness Health Clubs Ltd. became the subject of a lawsuit stemming from a recent data breach. It has been reported that an individual is seeking damages at the High Court for anxiety and distress, which he claims to have suffered after his personal data (including his name, address and banking details) were stolen from the company’s servers in a cyber-attack.
UK courts also continue to hear similar cases relating to alleged breaches of the former Data Protection Act 1998 (“DPA 1998”). In the Lloyd v Google case, the upcoming Supreme Court decision will clarify whether damages are recoverable for “loss of control” of data even where there is no pecuniary loss or distress. This case may be of value to UK courts adjudicating upon alleged breaches of the UK GDPR and the degree of “harm” required to justify compensation.
As alluded to above, the UK’s current rules on non-material damages are similar to those in place under the EU data protection regime. However, with the UK government offering strong indications that significant changes may be coming for the UK’s data privacy regime, this will have on non-material damages claims remains uncertain.
What Changes to the UK Data Protection Regime Are Being Discussed?
In September 2020, the UK government published its National Data Strategy for public consultation; the main focus is to develop a world-leading digital economy, which will boost economic growth, innovation and efficiency within UK public services.
The strategy also aims to remove “unjustified” barriers to data transfers. A few weeks ago, the government released its statement on international transfers, setting out a list of priority jurisdictions to be considered for adequacy decisions, including the USA, Singapore and Australia, amongst other countries.
More recently, on September 10, the UK government published a consultation paper titled “Data: a new direction,” focused on creating “an ambitious, pro-growth and innovation friendly data protection regime that underpins the trustworthy use of data” in line with the National Data Strategy. The Information Commissioner’s Office’s reforming, with a greater focus upon efficiency and growth, is slated to form part of a broader overhaul. A reform of the accountability framework is also proposed and could impact the current rules on subject access requests, cookie consent, the designation of data protection officers, data protection impact assessments, the requirement to maintain a record of processing activities, the threshold for notifying data breaches and more.