Data Protection - Can I Claim for Compensation?
MARK QUINN >
Consultant PartnerFri 26 March 2021
People are becoming increasingly aware of their rights in relation to the protection of their personal data. It is, however, less commonly known that an individual who has suffered a breach of personal data could be entitled to compensation.
What is the position after Brexit?
When the EU’s implementation of the General Data Protection Regulations ((EU) 2016/697) came in, otherwise commonly referred to as "GDPR", it offered a major source of protection in relation to an individual’s personal data. There is a concern as to whether the protections afforded by GDPR still apply to the UK, since their withdrawal from the EU.
Fortunately, the UK’s legal framework in relation to data protection remains largely unchanged, even after the end of the Brexit transition period on 31st December 2020.
Most of the provisions contained in the GDPR continue to apply in the UK beyond the end of the transition period. This is because the GDPR forms part of what is known as “retained EU law” under the European Union Withdrawal Act 2018. That means the UK will continue to apply most of the provisions of the GDPR, although, it will now be referred to as the “UK GDPR”.
There is, however, the possibility that the UK will choose to amend the scope of the UK GDPR in the future. UK GDPR applies in tandem with the UK’s own Data Protection Act 2018 (the “DPA”), which contains many of the same protections.
The right to compensation
The individual’s right to compensation for data protection breaches is contained in both Article 82(1) of UK GDPR and sections 168 and 169 of the DPA.
Under Article 82(1) of the UK GDPR, an individual who has suffered either “material” or “non-material” damage as a result of an infringement of the UK GDPR has the right to receive compensation. This language is again mirrored in the DPA.
What is meant by “material” and “non-material” damage?
“Material damage” includes such things as financial loss that an individual may have suffered as a result of the data protection breach. It could also include damages in relation to personal injury that arise from the breach (e.g. mental health conditions which have been caused or exacerbated by the breach of personal data).
“Non-material damage” is effectively compensation for the distress caused to the individual by the breach.
It will be for the individual to show that an infringement of UK GDPR/DPA has occurred and that damage has resulted from the infringement.
What amount of compensation will be awarded?
The level of compensation awarded in a successful claim will depend on the facts of each particular case. Both the nature of the breach and evidence relating to the material and non-material damage suffered by the individual will be assessed. In practice, it is rare for significant sums of compensation to be awarded in individual cases.