This follows the ruling in last month’s Google Inc. v Vidal-Hall Court case, where the Court of Appeal clarified the rules under the Data Protection Act 1988, which were previously interpreted as allowing compensation claims only if a data breach caused a financial loss.
Following clarification by the Court, Clause 13 of the Act will now be interpreted so that financial loss no longer needs to be shown for a compensation claim for emotional impact on the claimant, such as anxiety or distress. The previous interpretationhad meant that compensation was not available for most breaches.
Law firm Moore Blatch warns that while all reputable organisations follow good data protection policies, more stringent practices need to be in place for data where a financial risk might be exposed by a data breach, such as the holding of bank or credit card details, as "appropriate measures" will be tougher in the financial sector.
The decision is likely to have a number of potentially wide-ranging implications, says the company, including an increase in claims for compensation under Clause 13, and a likely rise in class actions, in which a large number of individuals have suffered emotional distress or invasion of privacy due to the same data breach. Such claims could be very costly to shopkeepers in terms of damages.
John Warchus, partner, Moore Blatch, said: "Shopkeepers, or indeed anyone in control of customer data, will now have an even stronger incentive to comply with data protection rules. The decision by the Court of Appeal is also consistent with the likely future trend of data protection legislation – the draft EU Data Protection Regulation will mean that someone can seek damages regardless of a financial loss. Shopkeepers should urgently review their data protection procedures and strengthen where necessary as more compensation claims are likely and the amount of damages awarded is also likely to increase."