The amount of compensation that you may receive from a data breach claim will depend on the type of breach that has taken place, the high risk nature of the information that has been breached and if you have suffered from any distress as a result.
As of May 25th, 2018 all European Union member states are held accountable to the General Data Protection Regulation (GDPR). This legislation outlines rules relating to the protection of natural persons with regard to the processing of personal data and rules related to the free movement of personal data. GDPR also protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. This harmonised legal regulation also states, “The free movement of personal data within the union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
You have the right to claim data protection breach compensation from an organisation if you have suffered as a result of that organisation breaching data protection law with your personal data under the General Data Protection Regulation (GDPR). This applies to both “material damage” (e.g., If you have lost money) and “non-material damage” (e.g if you have experienced anxiety or distress). You may be able to claim more compensation if the breach of your personal data has caused you distress.
How much compensation can I claim for distress caused by a data breach?
If you are distressed as a result of your data being breached, then you are likely able to claim slightly more compensation from a data breach claim. If you can credibly prove that you have physically and or mentally suffered as a result of your personal data being breached (such as experiencing depression) then you may be able to claim more compensation.
However, due to the number of variables involved in each data breach compensation claim, it can be difficult to estimate the amount of compensation you may receive from just assessing previous cases. Furthermore, if you fail to demonstrate you have suffered damage or distress, the court will not award you any compensation, and in some cases can order you to pay the other party’s costs.
What data breaches have resulted in the biggest fines and settlements?
To give you an idea of the scale and severity of data breaches, we’ve detailed some of the largest settlements and fines that there have ever been as a result of data beach violations.
Equifax (2017 data breach): 162 million records breached resulted in a $575m fine.
British Airways (2018 data breach): 400,000 customers were affected and a fine of £20m was imposed by the Information Commissioner’s Office (ICO).
Uber (2016 data breach): 57 million customers and drivers had their data breached and Uber were fined $148m.
Marriott (2018 data breach): the data of 500 million guests was stolen, and Marriott International were charged £18.4m.
Yahoo (2013 data breach): more than 1 billion accounts were compromised as Yahoo were fined $85 million.
Can you get compensation for breach of data protection?
Due to the General Data Protection Regulation (GDPR), you have a right to claim data protection breach compensation if you have suffered as a result of an organisation breaking the data protection law. Under GDPR, you can claim compensation for material damage (i.e lost money) or non-material damage (if you’ve suffered distress). If you believe your personal data has been lost or misused and you have suffered loss or distress, you may be able to claim compensation.
What compensation can you get with a data protection claim?
Material damage
Data protection breach compensation won on the basis that material damage has been caused describes cases in which you have been compensated for tangible suffering. This often describes a loss of money directly.
Non-material damage
Date breach cases where compensation has been won as a consequence of non-material damage describe cases where damage has been caused in intangible ways. Examples of this include when the victim has suffered distress, depression, identity theft or a damaged reputation directly as a result of the victim’s personal data being breached.
What are some examples of compensation won from data breaches due to distress?
Data breach compensation claims have been steadily increasing since Vidal-Hall and others v Google Inc. (2013). In this case, the Court of Appeal in London concluded that a distress claim suffered by the privacy breach can sound damages even though there was no financial loss. Pre-GDPR, compensation was lower; most data breach compensation rewards started from about £750, whereas now they generally begin around £1,000.
More recently, data breach compensation amounts for distress have increased as data laws have become clearer and, unfortunately, mass data breaches more common. For example, in the Gulati & Ors V MGN Ltd Phone hacking case damages (2015) were confirmed to be over £250,000. Even more recently, in the Alexander Aristides Reid v Katie Price [2020] EWHC 594 (QB) case, £25,000 was awarded in compensation. Below, we’ve listed a range of data breach compensation examples including the data breach type and compensation amounts.
Get in touch with us today to find out if you have a valid data breach claim and how much compensation you could potentially receive. If you feel like you’re a data breach victim, then please don’t hesitate to get in touch with us. Unfortunately, data breaches are increasingly common, so it’s important you check to see if any of your personal data has been breached at all; if it has, then we’re here to help guide you from complaint to compensation.
Get In TouchDo I have to go to court to get compensation for a breach of data protection law?
The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. You do not have to go to court to obtain compensation, as the organisation may agree to pay you. However, if the company does not agree to pay, you may need to make a claim in court to claim your compensation. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress). You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.
How much compensation can you claim for a data protection breach?
Data protection breach compensation amounts vary from case to case depending on the type of claim that has been made and the severity of the distress or damage caused to the claimant. Cases involving ‘low risk’ personal information that is unlikely to lead to serious distress can be settled from between £750 and £1000 in compensation.
This should be considered the lowest end of the spectrum, and whilst it’s important that data protection breaches of all kind should be reported to the ICO, many solicitors will not consider taking on any cases of a lower value as they will not be able to take a suitable fee for their time spent processing the claim.
What happens to organisations that fail to comply with data protection standards?
Failure to comply with these data protection standards means organisations can be liable to provide compensation to ‘data subjects’ (the individuals the data relates to) who have incurred either damage or destress as a result of a DPA violation.
Organisations that fail to comply may also be fined significant amounts by the relevant territorial authorities. In the UK, the Information Commissioner’s Office may hand out fines that are equivalent to 4% of an organisation’s turnover or £17.159 million, whichever is greater.
Related: Data Protection Breach Compensation Examples
How much is the average compensation for breach of the Data Protection Act?
The average compensation for breach of the Data Protection Act is between £1,000 and £42,900. In some cases, you may be able to claim more compensation for personal data breach that causes you distress.
Compensation for distress caused by GDPR a data breach examples
The average compensation awarded for GDPR data breaches is between £1,000 and £42,900, however in some cases you can claim more compensation if the breach of your personal data has caused you distress.
While data breach distress compensation amounts vary hugely based on the type of data breached, the effect it’s had on you and the high risk nature of the information, there are general guidelines for how much compensation certain data breaches typically lead to. Below, we’ve outlined some data breach compensation amount example ranges below based on types of data breaches.
£1,000 – £1,500 for breaches of basic personal data for example, name, date of birth, home and email addresses.
£2,000 – £5,000 for breaches of medical records.
£3,000 – £7,000 for breaches of financial information.
£25,700 – £42,000 for breaches that cause mental or physical illness such as depression for example.
Below, we’ve detailed a range of recent data breach cases that have seen
How much money have previous data breach victims been compensated?
The amount of money that previous data breach victims have been compensated has risen over the years, with initial breaches of the Data Protection Act only winning around £2,500 in damages related to disclosure of private information. However, as organisations have been accruing more personal information, more cases have been going to court, resulting in more precedents being set.
Most data breach claims are settled outside of court, however the amount of compensation that is settled on is usually informed by cases that are similar in nature.
How long does a data breach claim take?
While some claim that data breach cases can be over in just a few weeks, the reality is that data breach claims can take several years from complaint to compensation.
| Case | Data breach | Compensation |
|---|---|---|
| Archer v Williams [2003] EWHC 1670 (QB) | Disclosure of medical information | £2,500 |
| Campbell v MGN Ltd [2004] UKHL 22 | Publication of articles/photographs disclosing private information | £2,500 plus aggravated damages of £1,000 |
| Applause Store Productions Limited v Raphael [2008] EWHC 1781 | False defamatory profile and group on Facebook | £2,000 plus award for libel totalling £20,000 |
| Mosley v News Group Newspapers Ltd [2008] EWHC 1777 | Publication of private information relating to sexual practices | £60,000 |
| Cooper v Turrell [2011] EWHC 3269 (QB) | Misuse of private information | Claimant 1 £30,000 Claimant 2: £50,000 |
| Sean Robert Grinyer v Plymouth Hospital NHS Trust; 28th October 2011 | Unauthorised access of medical records by nurse | £12,500 |
| AAA v Associated newspapers Ltd [2013] EWHC 2103 (QB) | Publication of photographs | £15,000 |
| Weller v Associated Newspapers Ltd [2014] EWHC 1163 (QB) | Publication of photographs without consent | £10,000 |
| Gulati and others v MGN Ltd [2015] EWHC 1482 (Ch) | Phone hacking | £72,500 – £260,250 |
| Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police [2015] EWCA Civ 646 | Unauthorised processing of flight details, in lead up to disciplinary | £9,000 |
| TLT and others v Secretary of State for the Home Department and Home Office [2016] EWHC (QB) | Publication of confidential personal information of around 1,600 applicants for asylum or leave to remain | £2,500 – £12,500 |
| Wooley & Wooley v Nahid Akbar Or Akram [2017] SC Edin 7 | CCTV surveillance carried out by a neighbour | £17,268 |
| Ali & Anor v Channel 5 Broadcasting Ltd [2019] EWCA Civ 677 | Disclosure of private information in television show | £10,000 per claimant |
| Alexander Aristides Reid v Katie Price [2020] EWHC 594 (QB) | Disclosure of sexual preferences and lying about retaining Personal Information. | £25,000 |
| Aven and others v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB) | Inaccurate processing of the allegation regarding “illicit cash”. | £18,000 per claimant |
About Data Breach Help
Operated by Cobleys Solicitors – one of the leading law firms in the UK – we are a dedicated team of experienced solicitors well versed in every aspect of evolving data breach law. Utilising our wealth of experience and expertise, we assist our clients in claiming rightful compensation from both public and private organisations that have failed to protect their data.
Get in touch with us today to find out if you have a valid data breach claim and how much compensation you could potentially receive.