One of the major evolving issues in privacy and data protection law concerns the assessment of damages: when someone suffers a breach of their privacy or DP rights, how do you go about deciding how much money to award them by way of compensation?
Courts have to date taken a number of approaches to this question. In Halliday v Creation Consumer Finance [2013] EWCA Civ 333, Arden LJ suggested that awards in DP cases should be “relatively modest” and that the Vento bands used in discrimination law were not suitable comparators in this arena; Mr Halliday was given £750.
Arden LJ was then one of the Court of Appeal judges in Gulati v MGN Ltd. [2016] 2 WLR 1217, where damages for privacy breaches committed via phone-hacking ranged between £85,000 and £260,250. That judgment contained an important analysis of the nature of privacy and the impact of its violation.
Lastly, a personal injury approach was adopted in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54, where a data loss causing psychiatric injury saw a £20,000 award.
The last week has seen two notable contributions to the evolving jurisprudence on the ultimate privacy issue, namely money. This post is about the first of those, namely the judgment in TLT. I will post later about the second notable case, namely Andrea Brown.
TLT
Mitting J gave judgment orally in June and in writing last week in TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB).
The case concerned the Home Office’s publication of quarterly statistics about the family returns process, the means by which those with children who have no right to remain in the United Kingdom are returned to their country of origin. That publication is made via a spreadsheet with two tabs: The first contains anonymous statistics; the second contains details of each individual case (name of the lead family member; his or her age and nationality; whether they had claimed asylum; the office which dealt with their case, from which the general area in which they lived could be inferred; and the stage which they had reached in the family returns process)
In October 2013, the Home Office accidentally published data in a way which made both tabs available. It contained details of 1,598 lead applicants for asylum or leave to remain. This was downloaded on 27 occasions by 22 different IP addresses in the UK and by 1 in Somalia. Someone uploaded it to a US website, but this was later taken down.
A small group of affected individuals brought claims for misuse of private information and breaches of the DPA. Liability was admitted. The case before Mitting J concerned remedy.
One live question was this: could data subjects not named in the spreadsheet – specifically, family members of those who were names – recover? Answer: yes, they could. Given the nature of the data, anyone with knowledge of the lead person’s family could identify the children and other family members.
Another question was this: is there a threshold of distress which must be reached before compensation can be awarded? Answer: yes – the de minimis threshold.
More importantly, how should quantum be assessed? Mitting rejected any comparison between the TLT case and “cases involving the deliberate dissemination of private and confidential information for gain by media publishers or individuals engaged in that trade, such as Max Clifford”. On the other hand, account should be taken of “damages for distress, awards made for psychiatric or psychological injury in personal injury cases to ensure that any award is not out of kilter with them.”
The leading case of Gulati was an important guide, in particular on the point that damages should take into account the loss of control over one’s private and confidential information.
Mitting J then carefully analysed the specific evidence of each claimant before him, identifying the parameters of distress which he found to have been made out in terms of persuasive evidence and rational beliefs about the consequences of the data breach.
The awards ranged from £2,500 to £12,500 per person, which were held to be in line with awards which would be made for psychiatric injury in such cases, taking into account in addition the individuals’ loss of control over their information.
Mitting J’s judgment is notable not only as regards principles (how are courts applying the case law on privacy damages?) but also as regards evidence (what are the strengths and weaknesses of evidence in support of distress claims in privacy cases?). Both are important in the evolution of privacy law.
Robin Hopkins @hopkinsrobin