English court lowers barriers to bring legal actions over privacy breaches

13th Jul 2015

The recently decided English case of Google v Vidal-Hall sets a worrying precedent for companies and organisations across Europe as it represents a significant step towards an increase in European privacy litigation. The Court ruled that on the basis of existing data protection rules, a claim for a breach of data privacy can be brought by individuals:

  • Whose data has been collected by a Google or Safari browser without their consent;
  • Even if that data is not directly personally identifiable;
  • Regardless of whether the data is actually used or not;
  • And when there is no financial loss, but merely distress.

By broadening the definition of personal data and also allowing for non-material damages, the Court has potentially cleared the way for many more privacy cases. The mere collection of data in the broadest sense, including big data, or a data breach without financial impact might be enough to trigger litigation.

This proliferation of privacy cases might soon spread on a Europe-wide scale in view of the ongoing negotiations in Brussels on the proposed EU General Data Protection Regulation, which might be concluded by the end of this year. It is the first EU legislative proposal to include the possibility for any organisation to launch a class action over a breach of the Regulation, which might be a data breach or the collection of data without explicit consent. The business community is increasingly concerned about the potentially severe financial impact that this proposal could have. It already includes a possible fine of up to 5% of global annual turnover of an ‘enterprise’. In addition, private actions – including a form of class action – have been proposed for actual damage. The European Parliament has suggested an amendment which would make it possible for anyone to sue on anyone else’s behalf, and to sue for non-material damages, such as for emotional distress.

European policymakers are vastly underestimating the impact that this proposed EU Regulation would have on economic growth and jobs, especially if we look at the developments across the Atlantic. In the US, hundreds of unwarranted privacy and data security class actions have been filed since 2008. In most cases, claimants do not incur any financial damage or any harm. In cases such as these, the main beneficiaries are often the specialized class action plaintiff lawyers, while consumers themselves often get little to no compensation. The UK and all other Member States of the EU should aim to avoid such trends and not allow for the abuse of privacy and data protection rules for the benefits of only a few specialized lawyers and litigation funders. The introduction of US-style ligation will not benefit citizens at the end of the day. Moreover, it would harm companies disproportionately and put profiteering by some before justice for all.