News

Data Protection + Credit Controllers: Damages for Misuse of Information

Recent Court Decisions have awarded compensations for distress to individuals where there has been a breach of the Data Protection Act.

Should credit controllers be worried by these trends? And how much compensation will be payable if there has been a breach.

Credit controllers may already be aware of their potential liability to customers if they breach the Data Protection Act (DPA). Indeed this was underscored in Haliday v Creation Consumer Finance Ltd in 2013. This case related to the disclosure of information to credit reference agencies and upheld an individual’s right for damages for distress under the Act. The Court awarded Haliday £750 for an incorrect entry in his credit record. The decision may encourage claimants in similar situations to seek compensation. And if there are multiple claims arising out of a single breach then the award could be substantial.

What was the Statutory Basis for Liability?

In summary, the Haliday decision rested on an interpretation of S13 of the DPA. This provides for compensation where a data subject suffers “damage” if there is a contravention of the Act. So ‘damage’ is an essential element for a s13 claim to be successful.

What actually happened in the Haliday case was that Creation, who were a credit company, incorrectly notified a credit reference agency that Haliday owed them £1,500 over an 8 month period without an authorised credit limit.

From a legal perspective the important point to grasp is that, notwithstanding the incorrect notification, Haliday did not suffer any financial loss. Because of this he was only awarded nominal damages of £1.00. As a result of this award of damages being made (even although it was only £1.00) this now ‘opened the door’ to the court to make an award of compensation for the distress which Haliday had suffered. Compensation was awarded at £750.

So how has the Law Changed?

As already outlined, S13(2) of the DPA only permits a data subject to claim compensation for breaches of this Act which cause distress if the claimant can also prove that there has been financial loss. Because the Courts have regarded S13 (2) as being unduly restrictive they have awarded claimants damages of a nominal amount of £1.00. This opened the door for the distress claim which otherwise would have been shut.

However the Court of Appeal in Google Inc v Vidal – Hall + Oths has ruled that S13(2) should be dis-applied. In effect the door has been opened.

Enter Stage Left: The Influence of Europe

The Court took the view that S13 of the UKs DPA did not accurately reflect the policy of the European Directive on data protection which it implemented (Directive 95/46/EC). The cornerstone of the Directive was concerned with an individual’s privacy as opposed to his ‘economic rights’. Accordingly ‘moral damage’ as well as financial loss were both worthy of protection. Section 13 ran counter to this and the requirement for ‘financial loss’ or ‘damage’ must be dis-applied. In effect the Appeal Court had to dis-apply national law in favour of European Law where there was a conflict.

In the ‘Google’ Action information about data subjects browsing habits were gathered by Google though the use of ‘cookies’ without the knowledge or consent of users and contrary to Googles stated policy that such collection would only occur where a user had expressly consented to this.

What did the Court Say about Distress?

The court said that distress is ‘often the only real damage that is caused by a contravention’ and that it was unnecessary to show pecuniary loss. It went further by confirming that ‘damage’ under 2.3 of the Data Protection Directive should be given a broad interpretation and should include non-pecuniary damage. It should not restricted to the UK Court’s narrow interpretation of the term ‘damage’ in situations where an individual’s privacy has been “invaded resulting in emotional distress (but not pecuniary damage)”.

Conclusion

The DPA has often been criticised for its lacking of effective remedies. There does appear to be a trend towards greater enforcement and with the Information Commissioner having the power to issue monetary penalty notices of up to £500,000 data processors (and credit controllers may well fall within this definition) will have to exercise care.

Credit controllers should have comfort in knowing that there will be a valid defence to such a claim if it can be proven that the data controller took reasonable steps to comply with the DPA.

And what about the level of compensation? Previous awards have been relatively low, as is evidenced by the Haliday decision where the Court stated that it was ‘not the intention of legislation to produce some kind of substantial award. Indeed in the ‘Google’ action the Appeal court stated that there should be no expectations that claims for misuse of information would be other than ‘relatively modest’.

Questions?

If you have any questions or comments on the above then please do contact me using the details below.

Stephen Cowan


Managing Partner

Yuill + Kyle
Debt recovery + Credit control Lawyers, Scotland
This email address is being protected from spambots. You need JavaScript enabled to view it.
W: http://www.debtscotland.com
T: 0141 331 2332
Debt Recovery Ignited!

Yuill + Kyle is the trading name of Yuill + Kyle Limited, registration number: SC352604.
Registered Office: 79 West Regent Street, Glasgow, G2 2AR
Yuill & Kyle Limited are regulated by the Financial Conduct Authority

 

Posted in http://www.debtscotland.com/news1.cfm?id=490

Contact

Postal Address

PO Box 392
Moorebank NSW 1875

Tel: (03) 9351 0434

Email: membership@pipa.net.au

Quick Links

Events

About PIPA

Join Us

News

FAQs

Member's List

Practicing Members

Individual Members

Corporate Members

Honorary Fellow Member

Make an Enquiry


Name
eMail
Phone
Message
© Copyright 2017 Personal Insolvency Professionals Association | Powered by Orange InfoMedia

website security