In 2017 DSG Retail Ltd (the company operating as Dixons and Carphone Warehouse) was subject to a hacking attack which resulted in unauthorised access to personal data on DSG systems.  The Information Commissioner’s Office (ICO) investigated the circumstances and found that DSG did not have appropriate technical and organisational measures to protect the personal data, a breach of the seventh data protection principle under the 1998 Data Protection Act (the DSG case predates GDPR).

The hackers were able to access 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks.  DSG were issued with a monetary penalty for £500,000 which is being appealed by DSG.

The ICO is not empowered to award compensation to those affected by data protection breaches.  However, following the ICO finding, a civil claim was brought by Mr Warren against DSG for:

  • Breach of confidence
  • Misuse of private information
  • Breach of statutory duty

The court struck out all claims except for the claim for breach of statutory duty which was allowed to proceed.  (That part of the claim is pending the outcome of the appeal by DSG against the fine imposed by the Information Commissioner’s Office.)

The grounds for striking out the claims for breach of confidence and misuse of private information respectively were that DSG had not committed any wrongful action, there was a failure to prevent an unlawful attack on the security of the company’s data. The judge said breach of confidence and misuse of private information were both concerned with prohibiting actions by the holder of information held under an obligation of confidence or privacy.

The negligence claim was struck out on the grounds that a duty of care should not be imposed where statutory duties already apply (such as those under UK GDPR).  Also as the claimant had not provided details of the loss suffered, a claim of “distress” was held not to be sufficient in relation to damages for a claim of negligence.  This contrasts with the Lloyd v Google case where “loss of control” of personal data was held to be sufficient grounds for a claim for damages.

The Lloyd v Google case has been heard on appeal by the Supreme Court and judgment on “loss of control” as a head of damages (inter alia) is due later this year.

Note that the ICO advice for data subjects bringing a claim for damages reads:

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).”

Conclusion

While both GDPR and its predecessor, the Data Protection Directive 95/46/EC, had stated objectives of empowering individuals to take action to hold organisations to account for abuse of their personal data, there is evidence of some fairly specious claims for damages being made against reputable organisations backed up with the threat of legal action if compensation is not paid.

The ruling in the DSG Retail case is consistent with the ICO view that damages can be claimed for damage or distress.  The judgment in Lloyd v Google should settle the debate on whether actual damage needs to be shown resulting from data protection breaches.  It illustrates just how much that guidance is needed, as opinion is currently divided.

Mandy Webster, Data Protection Consultant