Google-Vidal Hall "opens the floodgates" to data breach compensation

News by Doug Drinkwater

March's landmark ruling by the London Court of Appeal that just three UK persons could sue Google over cookie privacy violation has far reaching consequences as far as breach compensation is concerned.

In the ruling two months ago, the LAC ruled that the users could sue Google over its alleged web tracking in the so-called 'Cookiegate' scandal between 2011 and 2012.

During this time, Google is accused of bypassing users' Safari browser security settings to install secret cookies to track their web activity and serve them with targeted ads.

Robert Hann, business development director at encryption services supplier Trustis, and privacy campaigners Marc Bradshaw and Judith Vidal-Hall were the claimants in the case, with the verdict delivered by the Master of the Rolls Lord Justice McFarlane and Lady Justice Sharp.

“These claims raise serious issues which merit a trial,” they said. “They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature and the subsequent use of that information for about nine months.”

The case was also interesting as Google is out of the UK's jurisdiction, the claimants had to persuade the High Court that this misuse of personal information, classified as a tort, should result in proceedings being served abroad.

Two months on and understands that that ruling potentially has huge ramifications, not just for online privacy and data protection law, but also concerning data breaches and the interpretation of the UK's data protection act.

At a legal briefing in central London recently, a number of influential lawyers and heads of IT discussed the issue, with some suggesting that breach compensations are now in reach for the general public, and popular enough to entice mid-tier solicitor firms to offer attractive “no win, no fee” cases.

Lawyers speaking at the event, which was under Chatham House rules, said that breached companies could face compensation claims running from the “hundreds” to “the tens of hundreds of thousands of pounds”. Further still, he added that there was the very real prospect of the “multiplier effect”, as other users realise the potential for financial gain.

“Half of the City of London's law firms may see the avenue for opportunity here,” said one legal pro.

A new twist on old legislation

The Google vs. Vidal-Hall case is interesting because, as lawyers explained to SC, the plaintiff had to demonstrate significantly less emotional harm than previously under the Data Protection Act 1998.

Previously, under clause 13 of the Act (which is also covered similarly by Article 23 of the European Data Protection Directive 1995), compensation would not be given in such case unless the claimant could prove damage, usually financial loss.

That was largely down the Johnson v Medical Defence Union case in 2007, where it was held by the court that pecuniary loss must be proven.

However, lawyers say that the Vidal-Hall case has bust that idea wide open, as the three claimants simply had to prove “mere distress” to win the case, regardless whether they had suffered financial loss. One legal professional quipped that companies would now face claimants with a “quivery lip and Paddington Bear faces.”

 “It's a fantastic result for the citizen,” said one attending lawyer.

The ruling also asks the question, as it does with the Google Right To Be Forgotten case, if US-based firms “actually get it” on EU data protection, and demonstrates that court judges are “human are citizens like everybody else” and when they go online, they “don't want to be tracked.”

“This could open the floodgates to data breach compensation claims, especially as breach disclosures (under the EU Generation Data Protection Regulation – Ed) becomes mandatory,” said one lawyer.

The lawyer added that the industry must be realistic about the strength of competition, citing ICO and solicitor interest in this area, and the fact that 10,000 disillusioned people, looking for £1,000 each in “distress”, will result in a pay-out of £1 million.  Bigger claims could result in “astronomical numbers”.

A financial services CIO warned however that we shouldn't be scared by the big numbers, which could “switch off” execs, and said that smaller volume cases were of more concern.

A CISO at a large media organisation admitted that the small claims were more the worry, from consumers not an area where they've had ton focus so much in the past.

“These are not massive claims, but it's the multiplier effect,” he said, adding that companies would increasingly look to avoid court, and settle.

Amar Singh, independent CISO, later told “I am not sure if this will open the floodgates as, often, the damages or pay-outs are quite modest - however it will be interesting to see how many others follow suit based on the anxiety and distress angle. 

“Overall, unless the punishment (and related to this, the awarded damages) is severe many organisations may take a calculated approach of waiting for a few more such cases to go through the courts before making any significant investments to improve their protection for personal data.”

Cordery Compliance commercial lawyer Andre Bywater told us that the case is "likely to open the door for UK Safari users to bring substantial so-called 'class action' against Google."

"It is likely that the UK courts will now see many more cases brought for breaches of the DPA, given that the previous requirement for “pecuniary loss” has been removed," he said.

"Everyone closely involved in issues that involve data protection should not only review their procedures but also update their training and run it again in light of this case."

Stewart Room, a privacy lawyer and partner at PwC, recently penned an open editorial on the same matter, saying, “There are only two necessary ingredients within a recipe for a cyber-security compensation claims culture. First, would-be claimants need to know they have been affected by a cyber-security breach.

“Second, the law needs to allow them to recover damages for simple distress. The law is benevolently gifting us these ingredients. All we need are some enterprising lawyers to stir the pot, and then there will be a feeding frenzy.”

He added: “If Google v. Vidal Hall survives a challenge in the Supreme Court, then controllers everywhere will face a new puzzle: what controls can they ‘operationalise' to reduce distress in the aftermath of a cyber-security incident? This puzzle shines a fresh spotlight on the importance of early incident detection and effective incident response.”

“….Controllers will have to think very hard about the psychology of breach notification and complaints handling, if they are to lower distress to a reasonable level.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews