Restaurant operators have been warned that they could be hit with compensation claims in the event of a data protection breach even if no ‘financial loss’ occurs.
The alert follows a ruling in last month’s Google Inc. v Vidal-Hall Court case, where the Court of Appeal clarified the rules under the Data Protection Act 1988, which were previously interpreted as allowing compensation claims only if a data breach caused a financial loss.
Following clarification by the Court, Clause 13 of the Act will now be interpreted so that financial loss no longer needs to be shown for a compensation claim for emotional impact on the claimant, such as anxiety or distress. The previous interpretation had meant that compensation was not available for most breaches.
The decision is likely to have a number of potentially wide-ranging implications, including an increase in claims for compensation under Clause 13, and a likely rise in class actions, in which a large number of individuals have suffered emotional distress or invasion of privacy due to the same data breach.
Such claims could be very costly to restaurants in terms of damages, according to Moore Blatch, one of the UK’s leading commercial and technology law firms.
It said that while all reputable organisations follow good data protection policies, more stringent practices need to be in place for data where a financial risk might be exposed by a data breach, such as the holding of bank or credit card details, as “appropriate measures” will be tougher in the financial sector.
John Warchus, partner, Moore Blatch, said: “Restaurants, or indeed anyone in control of customer data, will now have an even stronger incentive to comply with data protection rules. The decision by the Court of Appeal is also consistent with the likely future trend of data protection legislation — the draft EU Data Protection Regulation will mean that someone can seek damages regardless of a financial loss.”
He said that operators should take the ruling seriously. “Restaurants should urgently review their data protection procedures and strengthen where necessary as more compensation claims are likely and the amount of damages awarded is also likely to increase.”