data protection
, ,

Huge step forward for privacy rights after ground-breaking data protection ruling

A data protection case against Google has resulted in a huge win for individuals and their data privacy rights.

The legal action[1], which relates to events that took place nearly a decade ago, will make it much easier for people to make a data breach claim.

What happened in this case?

Between 2011 and 2012, Google used cookies on Apple’s Safari web browser to collect data about its users. This included information on health, race, ethnicity, sexuality and finance. It is alleged that this happened even if someone changed their setting to “do not track”.

In response, a group action was launched to help people challenge the big technology company over this data privacy violation. But, in October 2018, the case was thrown out.

One reason behind this decision was that it was deemed too difficult to calculate how many people had been affected and in what way. This is because, to make a data breach compensation claim, each individual had to show that they had suffered. This could include experiencing either emotional distress or financial loss as a result of a breach.

However, this case was taken to appeal. And, in a “ground-breaking” ruling, the Court has shown that big business is not above the law.

What happened in the appeal?

The Court of Appeal decided that all data breach claims are valid. Even if someone hasn’t suffered financial or emotional damage as a result. Simply losing control of the personal information is sufficient grounds to make a claim.

What’s more, the appeal also found that people are entitled to compensation even if the only personal information breached was their email address.

What does this mean for victims of a data breach?

This is good news when it comes to the protection of our privacy rights. It means that organisations are much more likely to take their data responsibilities seriously. And, where a breach does occur, it is now much easier to hold corporate giants to account.

What’s more, a group action can now be launched based on the total number of those affected. Not just the individuals who have proactively decided to pursue compensation. This will make the group action claim process much quicker.

Businesses will have to do more or risk legal action and hefty costs

Speaking about the case, our managing director Kingsley Hayes said:

“This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

“The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seeking legal redress.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

“The development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.”

How do you make a data breach claim?

If you have experienced a breach of any part of the Data Protection Act, you have a right to claim compensation.

And, keeping things simple, as far as individuals are concerned, the process of making a data breach claim remains largely the same. So, if you are worried that your information has been lost or misused, we can help.

At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we’ve been helping people to do just that for over 50 years. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.

Find out more about making a data breach compensation claim.

[1] Lloyd v Google

Data breach

Can you make a data breach claim against Gloucestershire Police?

Following a worrying data breach scandal, Gloucestershire Police has been fined £80,000 for sending a bulk email that identified victims of historical child abuse.

Commenting on the breach, Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office (ICO) said: “This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity”.

As such, those affected should now be looking to claim compensation.

 What happened in this case?

 A police officer involved in a non-recent sex abuse investigation sent an update on the case to 56 people. These people included victims, witnesses, journalists and lawyers. However, the officer carelessly made all the email addresses viewable by all recipients.

Gloucestershire Police realised the mistake two days after it happened in December 2016. But while it successfully recalled three emails (and one email was undeliverable), 56 full names and emails were visible by to up to 52 people. The email also referenced schools and social services that were being investigated following the allegations of abuse.

On realising its error, the force reported it to the ICO and sent an apology to all recipients. However, this remains a “serious breach” of data protection laws.

What was the result of the investigation?

An investigation by the ICO into the breach found that adequate security processes were not put in place to prevent such errors from occurring. For example, the “bcc” (blind carbon copy) function, which can be used to keep addresses private when sending bulk emails was not automatically selectable on the system. In addition, Gloucestershire Police failed to provide staff with adequate (or any) training, guidance or policies on bulk email communication and the importance of keeping private and sensitive information safe.

The ICO spokesperson added: “The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The latest breach by Gloucestershire Police is particularly worrying as those involved were likely to suffer significant distress knowing that they could be identified as victims of child abuse. The investigation also concluded that many of these victims were suffering from the lifelong consequences of this abuse, and were already vulnerable. As such, the failure to protect their privacy is likely to cause considerable emotional anguish.

To make matters worse, despite the findings by the ICO, and while Gloucestershire Police has since apologised for the mistake, it has failed to accept full responsibility. In fact, the force has said that it is disappointed by the decision and is considering an appeal.

While human error does happen, Gloucestershire Police simply did not make sure that appropriate procedures and training was in place to avoid such a breach from occurring. So it must be held to account.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.