Individual rights in the Data Protection Act underlined by two recent cases

Two recent cases have reinforced the importance of the individual rights of data subjects which are fundamental elements of the Directive behind UK Data Protection Laws. These developments will have an impact on compliance with the data protection principles for a range of organisations and businesses. These include:

• Complying with a subject access request from outside the UK
• Claiming damages for distress under the Data Protection Act

Complying with a subject access request from outside the UK
In the case of Kololo v Commissioner of Police for the Metropolis, the High Court had to decide whether a subject access request (SAR) by Mr. Kololo, who has been sentenced to death in Kenya for robbery and murder of two British nationals, was an abuse of process.

Relevant facts
Mr. Kololo made a SAR to the Commissioner of Police for the Metropolis (MPS) seeking all records relating to him and made it clear that the information was required urgently because it was believed that the information could prove crucial in his case to challenge the death sentence. The MPS refused the request on the basis that it constituted an abuse of process.

Judgment of the High Court
Even though Mr. Kololo had never been to the UK, the High Court said that it had jurisdiction to hear the case as the information about him was being held in the UK. According to section 7(9) of the Data Protection Act (DPA) the Court has the discretion to decide whether to order a data processor to comply with an SAR. The DPA also contains certain exemptions to SARs such as any other enactment or rule of law restricting disclosure (section 27 (5)) or exemptions for the purpose of safeguarding national security (section 28). In this case alleged abuse of process was argued as a ‘rule of law’ and the relevant ‘enactment’ was the Crime (International Co-operation) Act 2003 (CICA) which makes provisions for overseas courts or prosecuting authorities to request assistance in obtaining evidence in the UK.

The Court found that the request was not an abuse of process because CICA in this case should not be providing an exclusive remedy since the DPA makes specific provisions for exemptions based on national security and for the prosecution or investigation of crimes. In relation to the Court’s discretion of whether to order compliance, the Court found that the information requested by Mr. Kololo was for the purpose of determining whether there were inaccuracies in the data, which is a proper statutory purpose as set out in the Recitals to the Directive. In the case of YS v Minister voor Immigratie, the European Court of Justice emphasised that regarding the relevant recital “the protection of the fundamental right respect for private life means … that that person may be certain that the personal data concerning him are correct and that they are processed in a lawful manner”. Additionally, the Court said that rectification of data is a statutory right as set out in section 14 DPA and therefore, ordering disclosure was within the purposes of the DPA.

Likely Impact
While this is an unusual case especially since Mr. Kololo had no links with the UK, it does underline that the DPA is not just about compliance in data protection or granting SARs; the right to rectification is an important one, which organisations and businesses should not ignore. The international dimension is also important because with businesses accessing foreign markets, for any personal data that is processed in the UK, subjects of that data may make a SAR and in turn businesses would be under an obligation to grant it if it is within the scope of the DPA. Further, in light of this development businesses should consider updating their internal processes (especially those operating in foreign markets or those that hold personal data of persons outside the UK) in order to ensure SARs are dealt with in accordance with this latest development.

Claiming damages under the Data Protection Act
In the case of Google Inc. v Vidal-Hall, Hann and Bradshaw, the three individuals claimed that Google had collected personal information about them while they were browsing the internet without their knowledge or consent and they were seeking damages for distress (section 13 of the Data Protection Act). In this case the question for the Court of Appeal was whether the claimants were entitled to recover damages for distress, understood to be pecuniary damage, although the claimants did not suffer loss and so would “non-pecuniary damage” be covered? To answer this question the Court of Appeal was required to consider whether “damage” under article 23 of the Directive 95/46/EC (the Directive), which the DPA implements includes “non-pecuniary damage” or non-monetary compensation.

The relevant law
Article 23 of the Directive provides:

(1) Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
(2) The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

The DPA has different and more qualified wording which in most cases requires both “distress” and also “damage”. As such a data subject could only claim compensation if they suffered distress and monetary loss. An example where these requirements would be fulfilled could be where a data subject has suffered distress and monetary loss due to inaccurate data being held by a credit ratings agency. However, a data subject who may suffer distress due to disclosure of personal information without suffering any monetary loss would find it difficult to claim compensation.

Court of Appeal Judgment
In examining these questions the Court said that ‘article 23 of the Directive must be given its natural and wide meaning so as to include both material and non-material damage’. This is necessary since the aim of the Directive is to protect privacy rights as oppose to economic rights and it would be strange for the Directive not to permit compensation to those individuals whose data privacy had been breached causing emotional distress. The Court also pointed out that the provisions of the Directive seek to protect the right to privacy as is the case with Article 8 of the European Convention on Human Rights (the Convention) and enforcement under Article 8 of the Convention ‘has always permitted recovery for non-pecuniary loss’. Therefore on this point the Court concludes that the wording of the Directive does not distinguish between monetary and non-monetary compensation and in fact giving the wording of the Directive a ‘restricted interpretation would substantially undermine the objective of the Directive’ to protect the right to privacy in the processing of personal data.

The Court said that reading the applicable parts of the DPA literally it follows that article 23 of the Directive has not been implemented effectively (otherwise known as transposition). The Court then considered how the national legislation could be interpreted so that it would comply with the Directive by interpreting the DPA so far as possible in light of the wording and purpose of the Directive. The Court noted as the affected section is a central feature of the DPA where non-monetary compensation was not included, it could not be read to ensure compliance with the Directive. In such circumstances the Court said that where a right under EU law is breached article 47 of the Charter is engaged, which provides the right to an effective remedy under EU law and it is on this basis that the Court can give effect to the provisions of the Directive ignoring what the DPA says. Accordingly, the Court held ‘compensation would be recoverable for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA’.

Likely Impact
This latest decision is another boost for individual rights as it broadens the scope of the DPA by permitting claims for compensation without the precondition of monetary loss. It will be interesting to see how this develops in future cases and also how it is applied in this particular case once reconsidered. Following this change it is likely that there will be an increase in litigation for compensation now that claimants are not required to show monetary loss. With the likely overhaul of this area of the law that is due to take place with the introduction of the General Data Protection Regulation in the next couple of years, this latest development can also be seen as bringing UK legislation closer to what is in the forthcoming Regulation.

It is also consistent with changes taking effect in the Privacy and Electronic Communications Regulations (PECR), which make it easier for the Information Commissioner’s Office (ICO) to fine companies for unwanted marketing communications by lowering the threshold to a serious breach of the regulations. Previously, the ICO was required to prove “substantial damage or substantial distress”. These developments are important to note for organisations and businesses, whom may consider renewing their data protection processes to make sure that they are complying with the principles of the DPA and PECR, as well as make contingency planning in the event that a breach takes place, resulting in a claim for compensation or being fined.

If you would like further information about these and other developments as they affect social housing you can attend our upcoming event Data Protection for Housing Officers. Additionally for advice on these developments or general Data Protection Law and practice please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Housing Litigation and tagged , , , , , , , .