FREE CHAPTER from ‘A Practical Guide to Enforcing Data Protection Rights and Compensation for Data Breaches’ by Mariel Irvine


Data protection law is a developing area of increasing importance. It protects the individual’s right to privacy by giving them rights over their personal information, and restricting the way organisations can use this information. It covers a broad spectrum of emotive topics including the media’s hounding of celebrities, cold calling the vulnerable, and the harvesting and sale of personal information following security breaches. The law in this area would be ineffective without enforcement.

This book considers the enforcement of data protection rights, including compensation for data breaches, from both the individual’s and organisation’s points of view. They are obviously two sides of the same coin: complaints to the regulator about data breaches by organisations may trigger enforcement action against the organisation.

Since the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018, the Information Commissioner has fined large organisations millions of pounds for data security breaches. However, most fines concern breaches of the Privacy and Electronic Communications Regulations 2003 (PECR) which govern electronic communications from organisations to individuals, including marketing. Although the E-Privacy Regulation was planned to be implemented alongside the GDPR, and would have triggered changes to PECR before Brexit, the Regulation is not yet in force. The maximum fine for breaches of PECR remains £500,000. The provisions of PECR are not considered in this book, which focuses specifically on data protection enforcement under the UK GDPR and Data Protection Act 2018.

When opening the Data Protection Practitioner’s Conference in July 2022the Information Commissioner, John Edwards, confirmed he had challenged his team to save business at least £100 million in the next three years. That would be achieved by offering greater certainty in what the law required, coupled with a predictable approach to enforcement action that allowed businesses to invest and innovate with confidence. The same year he decided to reduce the number of fines imposed on organisations in the public sector with the justification that fines divert funds that would be better used by the organisation to fulfil its public function for the public benefit.

Large fines against big companies attract much publicity and may give individuals the mistaken impression that they, too, can recover similar amounts for the data breaches they have suffered. In fact the compensation awarded by the courts tends to be relatively low in individual cases, to the extent that it may be uneconomic to issue proceedings. Often it is only where a breach affects thousands of data subjects, as was the case with the British Airways breach of 2018 for example, that the outlay is likely to be significant. Such cases tend to settle in order to limit legal costs.

A relatively recent data breach case which went to trial and was then appealed to the Supreme Court involved Morrisons supermarket.1 Morrisons argued they were not vicariously liable for a serious security breach of personal information belonging to thousands of staff, which had been perpetrated by a disgruntled employee. He was in prison for offences related to the breach. A Group Litigation Order was made and thousands of employees joined proceedings in the High Court against the supermarket chain. They walked away with nothing when the Supreme Court decided Morrisons were not vicariously liable for the criminal actions of the employee. His acts had not been sufficiently connected to his employment, and he had been on a frolic of his own.

In order to try and avoid the administrative costs involved with Group Litigation Orders, there have been a number of unsuccessful attempts to bring representative actions on behalf of individuals affected by data breaches who have not “opted in”, and so are not formally joined as parties to the proceedings. The Safari Workaround Litigation against Google is a crucial example.2 The Supreme Court was clear that individuals must not only be represented but joined to the proceedings in order to recover compensation. The requirements of causation and proof of damage in individual cases continue to apply. Perhaps a representative action based on alternative causes of action in privacy law, such as misuse of private information, might be successful?

After only two and half years, the GDPR was replaced by the UK GDPR on 1 January 2021, the day after the United Kingdom finally left the European Union. The UK GDPR incorporates the GDPR as it was on 31 December 2020 into domestic law, with necessary amendments identified in a Keeling schedule. Part 2 of the Data Protection Act 2018 supplements and refines the UK GDPR. Both pieces of legislation should be considered together

As yet, there has been no divergence of significance between the UK and EU versions of the GDPR, perhaps partly because too great a divergence might threaten the European Commission’s adequacy assessment for transfers of personal data to the UK. The current adequacy decision is likely to last until 27 June 2025. However, when in 2022 the Government withdrew a new bill which would have made some significant amendments to the 2018 Act, it was said this was done so as to enable it to make more far reaching alterations to data protection legislation in future.

The enforcement rights covered in this book are summarised below:-

  1. An individual has the right to lodge a complaint with the Information Commissioner if they consider that the processing of personal data relating to them infringes the requirements of the UK GDPR and the Data Protection Act 2018.3

  2. If the Commissioner does not handle the complaint or does not inform the data subject of its progress or the outcome within three months the data subject has the right to appeal to the First-tier Tribunal General Regulatory Chamber. 4

  3. An organisation may appeal to the First-tier Tribunal against information and assessment notices, and also enforcement and penalty notices, issued by the Information Commissioner.5

  4. A data subject whose rights have been infringed as a result of non-compliance with a provision of the UK GDPR when processing their personal data may apply to the court for an order to secure compliance. 6

  5. A data subject, or any other person, who has suffered material and non-material damage as a result of an infringement of the Data Protection Act 2018 may claim compensation in the court against the controller or processor for the damage suffered. Damage covers distress as well as financial loss.7

The legislation and guidance to which reference is made includes:

  • The UK GDPR and Keeling Schedule

  • Data Protection Act 2018

  • The Tribunal Procedure (First-tier Tribunal) General Regulatory Chamber) Rules 2009

  • The Tribunal Procedure (Upper Tribunal) Rules 2008

  • Civil Procedure Rules

  • The Information Commissioner’s Regulatory Action Policy

  • The Information Commissioner’s Regulatory and Enforcement Activity Policy on Communicating.


1WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent) [2020] UKSC 12

2Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50

3Article 77 UK GDPR and s165 DPA 18

4Article 78 ibid and s166 DPA 18

5Section 162 DPA 18

6Article 79 UK GDPR and s167 DPA 18

7Section 169 DPA 18