Compensation is due if a data breach causes material damage or distress - Catherine McGarrell

While doing very little to smash the stereotype of lawyers being not too interesting, my concentration on data protection legislation isn’t just on its technical contents - but the legal frameworks and rights it provides.

Like all the best journeys, I’ll start at the beginning. Too often, its doubters try to place GDPR as some shocking slice of bureaucracy imposed on us from That Big Bad Monolith EU. As all too frequently claimed, the rights conferred are neither a) bad b) much more than the UK had before.

Just like the rights of workers, the UK has usually been pretty handy in having a legislative structure that protects people. It was UK law that set the standard that the EU back then were able to emulate and build upon to make our rights even better. This is where our firm comes in; through the myriad of rights the Data Protection Act (DPA) created, it established a statutory right to compensation for breaches.

Before taking you on a delay as long as a school bus trying to leave Dover, I’ll rein it back to what this means practically. The statutory right to compensation for us is not a new concept. The Data Protection Act 1998 at s13 provided the right to compensation from a data controller following a breach, if at ss1 it causes damage, or, at ss2, it causes distress.

Almost two decades later, Article 82 of the GDPR provides that any person who has suffered material or non-material damage as a result of a breach has the right to receive compensation from the controller or processors. This is a step further for us as previously it was only the controller.

This principle is furthered at s168 of our (newish) Data Protection Act 2018 which at ss1 specifies “non-material” damage includes distress.

The distress aspect is quite unique to data breaches. In Scotland, the lynchpin of the law of delict is damnum injuria datum - loss wrongfully caused.

In layman’s terms, it means in order to be owed damages from an at-fault party, there must be loss. While this can be simple to value elsewhere in respect of monetary loss, in respect of harm to the person there must be a recognised injury; either physical or mental by way of a diagnosed psychiatric injury. You cannot be compensated for emotions such as distress, shock, anger, grief unless these fall under the heading of a psychiatric injury like an Adjustment Disorder or PTSD.

We then have the exception that proves the rule. Distress from a breach being compensable is kind of a big deal because that’s not an “injury” in the medically or legally recognised way. There also has to be provable distress; your email address accidentally being shared with another person isn’t likely to cause this (save of course for it going to someone who you have a bad relationship with), whereas it being harvested in a hack is quite different.

Thompsons Solicitors have a highly specialised data protection team dedicated to obtaining redress as a result of a data breach. Our caseload comprises personal breaches of sensitive information such as medical records being released to the wrong person, or mass well known breaches such as the recent wide reaching Arnold Clark and JD Sports data breaches. Having litigated Scotland’s first ever Group Action in Volkswagen, Scotland’s second and third Group Actions via Celtic Boys Club and Kenyan Tea cases, and likely Scotland’s first-ever data breach Group Action via Easyjet, our team is well-placed to take forward cases where your rights have been infringed.

Catherine McGarrell is a Senior Solicitor, Thompsons