Court of Appeal awards damages for breach of Data Protection Act

(Halliday v Creation Consumer Finance Limited [2013])

There have been few, if any, reported awards for compensation under the DPA and so there has until now been limited concern with the risk of civil litigation arising from DPA breaches. The award of £750 for an incorrect entry on the claimant's credit record may be modest, but such decisions will undoubtedly encourage claimants in similar situations to seek compensation.  Whilst isolated claims of this nature may not be significant, the damages payable to multiple claims arising out of a single breach could be very substantial.

Businesses will wish to ensure that they have the necessary evidence to defend such claims by, for instance, making use of the statutory defence available where the data controller can prove that it has taken reasonable care to comply with the DPA.

Summary:

• S.13 provides for compensation where a data subject suffers "damage" by reason of a contravention of the DPA.  Where a data subject suffers damage, the data subject is also entitled to be compensated for any distress.
• Creation was a credit company which wrongly notified a credit reference agency that Mr Halliday had, over a period of 8 months, a sum of £1,500 owing to them without an authorised credit limit.  This was in breach of the DPA and an earlier order of the County Court.  
• Mr Halliday did not suffer any direct financial loss as a result and so was awarded nominal damages of £1. However this meant that he was entitled to be awarded compensation for distress.
• The Court rejected submissions that he was entitled to substantial compensation calculated by reference to compensation for injury to feelings awarded in discrimination cases.
• The breach arose from a mechanical error and did not lead to loss of creditor reputation.   However, based upon the evidence of distress set out in Mr Halliday's witness statement, the Court awarded him £750.

The Data Protection Act 1998 has historically been criticised for its lack of effective remedies.  However this decision is in line with the trend towards greater enforcement. The Information Commissioner now has powers to issue monetary penalty notices of up to £500,000 and the draft EU Data Protection Regulation envisages fines of up to 2 per cent of global turnover.