The Court of Appeal made a ruling on 2nd October in the Lloyd v Google case which may open the floodgates to data breach claims.
The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.
The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, such as the British Airways and Ticketmaster incidents, can claim compensation for the entire population affected and can thereafter distribute the funds.
This ruling is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.
The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seek legal redress.
Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.
The Court of Appeal’s decision sets a precedent as compensation claimed, is for the total number of those affected by a breach and not just the individuals who have proactively pursued compensation on their behalf.
This development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.