The Second Opinion: UK Court Of Appeal Limits Compensation Owed By Businesses Which Breach Privacy Laws

Courts in both Canada and UK are grappling with developing a principled approach to damage awards in breach of privacy cases - what types of damage ought to be recognized? Who should be compensated for such damage? By how much? Recent UK case law suggests that a company's liability for breach of a privacy statute is not limitless.

In Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 ("Halliday"), the Court of Appeal of England and Wales held that businesses which breach data protection laws do not have to pay compensation for causing distress to consumers unless that distress is directly attributable to a breach of the statute.

Similar to Canada's Personal Information Protection and Electronic Documents Act, SC 2000, c 5 ("PIPEDA"), section 13 of the Data Protection Act, 1998 c. 29 (DPA) entitles a person to compensation if they suffer damage as a result of violations the DPA by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.

Halliday, the complainant in this case, had previously won an order against Creation Consumer Finance Limited (CCF) requiring the company to pay £1500 in connection with breaches of Halliday's rights under the DPA. Unfortunately, CCF paid the £1500 it owed Halliday into a closed bank account. During the resulting attempts to sort out the banking mixup, CCF entered incorrect information about Halliday in their systems that showed that he was £1500 in arrears; this information was then shared with a credit reference agency.

Halliday claimed that CCF had breached the terms of the court order and that caused him significant distress and claimed between £6,000 and £18,000 for the distress.

The Court of Appeal held that Halliday could not claim compensation for distress that was not caused by the actual data protection breach itself: "In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements."

As a result, the company should only have to pay £750 in substantial damages and a further £1 in nominal damages. Lady Justice Arden further noted that the breach "did not lead to a loss of creditor reputation" for Halliday and that there was "no proof of any fraudulent or malicious intent on the part of CCF".

In Canada, PIPEDA has a framework similar to the UK's DPA. Under section 16(c) of PIPEDA, privacy violations are...