Taking The Biscuit: Cookie Claims For Breach Of The Data Protection Act

Taking The Biscuit: Cookie Claims For Breach Of The Data Protection Act

26 June, 2015 by Gilson Gray in Blog

What is distress?  Few would argue that accidentally eating a coffee cream when you expect a strawberry cream is grounds for a legal action (although, personally, I find coffee creams to be in breach of my human rights).  That, however, is for confectionary.  What about cookies?

An important decision regarding distress, the Data Protection Act (DPA) and internet cookies was heard in Google Inc. v Vidal-Hall.  This case, decided a few months ago, involved three internet users who sued Google for collecting private data on their browsing habits by placing tracking cookies on their computers without consent.  Google then provided targeted advertising by passing that information to third parties, contrary to its publicly stated position that no such activity would be conducted without users explicitly allowing it.  Indeed, changes over the last few years to the use of cookies in the UK have required this express consent.

The users were distressed.  They claimed that their “personal dignity, autonomy and integrity” were damaged by Google’s mishandling of their personal information, and claimed damages.  The courts, for the first time, accepted the argument that “moral damages” were sufficient to make a claim under the DPA.  This is an important decision, as it goes beyond requiring actual financial loss to make a claim, and takes claims into the realm of what is – effectively – a claim for hurt feelings.

Google argued that they should not be subject to this ruling because they were based in the USA.  However, the long standing principle that a legal wrong occurs where the victim is located was upheld – because the cookies were placed on computers physically situated in the UK, then Google could be subject to a claim.

In similar cases, awards have ranged from between £750 to £2,250 (at least, these are the publicly disclosed sums).  You should be aware that these figures do not reflect the reality of the situation – the risk here is that claims are made by individuals, so these awards could be made per claimant.  A single breach of the Data Protection Act could potentially lead to hundreds, thousands or even more claims.

There are two particular risks this case throws up.  First, it emphasises the importance of properly obtaining consent under the Data Protection Act.  The legislation is designed to allow information to be used in ways that are disclosed to individuals upfront, and most problems arise when a person finds that information has been passed onto someone without them knowing.  Second, it will be interesting to see how this decision sits with the increasing prevalence of hacking into large corporations to obtain details of users.

In the last couple of years, hundreds of thousands of users of the Sony PlayStation Network had their details compromised.  Just yesterday, it was announced that the US government has suffered a serious attack meaning that over five million government workers have potentially lost information to foreign governments.

What if everyone of the people concerned raised a claim because they were distressed?  What if everyone of them was awarded compensation at £750 to £2,250 each?

There is a defence here that “such care as in all the circumstances was reasonably required” is available.  Even that, however, may be a small crumb of comfort, given the technological arms race that is going on around us silently at all times.  What was reasonable yesterday, last month or last year may not be reasonable in two weeks time, and it is incumbent upon everyone processing information to make sure their systems and processes are up to date.

Still, it could have been worse for everyone concerned.  They could have been made to eat coffee creams.


For More Information Contact:
John Kielski
Direct Dial: 0141 530 2038
Email: jkielski@gilsongray.co.uk

The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.