We can all claim compensation for the distress caused by an infringement of our data protection rights but to win the case, you’ll need to demonstrate that you’ve actually suffered distress.
Initially, under Section 13(2) of the DPA 1998, compensation for distress could only be claimed if the plaintiff had also suffered damages. This changed with Vidal-Hall v Google, where the Court of Appeal ruled that distress alone constitutes non-material damages. The Vidal-Hall ruling has now been incorporated into Section 168(1) of the DPA 2018, which stipulates that ‘non-material damage includes distress’.
- For an infringement of the GDPR, you can claim non-material damages, pursuant to Article 82(1) GDPR.
- For an infringement of the PECR, you can claim non-material damages, pursuant to Article 169(1) DPA 2018.
By failing to satisfy Regulation 22 PECR prior to targeting you with unsolicited electronic marketing, a data controller will also fail to satisfy a condition for processing.
In 2018 I watched the judge at one of my hearings, take a minute or so to read through Regulation 22 PECR, and question the defendant. The judge then questioned me to rule out psychiatric injury before awarding me damages for the “annoyance” of having received a direct marketing email as a direct result of their infringement.
I believe that the judge was tying to quantify the level of damages that I had incurred. To help me understand, I did a bit of research and found the following information on the Financial Ombudsman’s website:
Distress – including embarrassment, anxiety, disappointment, loss of expectation, upset and stress. There may be some overlap with pain and suffering (see below) – for example, if the distress made someone ill;
Inconvenience – including the time someone’s spent and/or effort they’ve had to go to as a result of a business’s mistake;
pain and suffering – including physical or mental suffering arising from what a business has done; or
damage to reputation – where someone’s personal reputation has been negatively affected as a direct result of a business’s actions.
I’ve found this really helpful, so I’ve added it to my standard “Claiming damages for distress” template page, which I copy and paste into my Statement of Case. It helps to clarify the different levels of non-material damages and it explains the judge’s actions in the case that I referred to above. It would appear that, based on my response to his question, the judge was able to rule out pain and suffering, and opted for upset and stress – annoyance.
Not all infringements will constitute distress however.
Based on all of the court hearings that I’ve attended, it’s clear to me that a judge will award damages for the annoyance of an infringement of statutory instrument, but only if I am able to demonstrate that something negative happened to me as a direct result of the infringement.
In my “Claiming damages for distress” template document, I quote Halliday v. Creation Consumer Finance Ltd (CCF). This 2013 case was the first case to award compensation for distress for a breach of data protection law. During the Court of Appeal hearing, Lady Justice Arden made the following point:
I would accept as a general principle that, where an important European instrument such as data protection has not been complied with, there ought to be an award, and it is to be expected that the complainant will be frustrated by the non-compliance.
Other key points to note in Halliday, are that…
The sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation.
And it was noted that…
There is no proof of any fraudulent or malicious intent on the part of CCF.
It’s amazing how many of the companies that I challenge, will blatantly lie to me about what they’re able to do with my personal data. And in my experience, in-house lawyers tend to be the biggest liars, so what does this say about the companies that we do business with every day? It tells me that they’re actively looking for ways to abuse our rights.
As I say though, to claim an award for distress, it’s not enough to demonstrate to the judge that an infringement of the GDPR/DPA/PECR has occurred. You will need to demonstrate to the judge that you suffered a detrimental impact as a direct result of the infringement.
As a rule, will only file a claim where I’ve received something that I shouldn’t – as a direct result of an infringement. For example, unsolicited direct marketing received as a direct result of an infringement. I’ve not tested it yet, but I should also be able to claim compensation where the infringement has denied me of something that I’m entitled to. For example, a failure to provide me the information requested in a Subject Access Request, or the failure by a third-party data controller to provide me with a fair processing notice that includes the source of the data. To clarify, third-parties have an obligation to provide us with a fair processing notice within a month of obtaining our contact information.
I currently have two cases on the go, and in both cases, it’s because I received unwanted direct marketing. In nearly all cases, my response is based on the data controller’s response. If they’re open, honest and fair with me, then I’m unlikely to pursue the matter beyond a complaint to the ICO. But if they don’t get back to me, brush of my complaint with a generic response, or tell me that they have a right to process my data when I know that they do not, then I will look to file a claim.