GDPR and privacy damages: causation and quantum

Personal data of a private and sensitive nature can, of course, end up being used in ways that are both distressing and tangled – in the sense that it is not altogether clear who (if anyone) to hold responsible, in law and in fact. The recent judgment of Chamberlain J in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is a must-read case study for anyone needing guidance in navigating thickets of causation and quantum (spoiler: award of £3k for UK GDPR breaches; the same award would have arisen for misuse of private information and under Article 8 ECHR in these circumstances).

In broad outline, A informed the Police that her husband was a cocaine dealer and a danger to her family. She repeatedly and emphatically insisted that she was providing this information only on the basis that she would not be identified as its source. The Police in due course passed the information to social services at Luton Borough Council for safeguarding and social work purposes, without taking steps to conceal the identity of the source (or even considering such steps). A malicious Council employee informed A’s husband about what A had said.

A’s distress was of course understandable. Her action against the Council, however, failed (see the judgment of Richard Spearman QC: [2022] EWHC 132 (QB)) because the Council was not vicariously liable for the criminal acts of its employee. Her action against Bedford Police succeeded before Chamberlain J, under the GDPR (Articles 5(1)(a) and (b)), for misuse of private information and for a contravention of Article 8 ECHR.

There was no dispute that the Police’s disclosure to the Council interfered with A’s privacy rights. The first substantive issue was whether the Police were nonetheless justified in making that disclosure for the purposes of safeguarding and the protection of others. Specifically, however, the issue was whether it was necessary for the Police to disclose that A was the source of the information about her husband. Chamberlain J did not accept that anonymisation was impossible in these circumstances: it was argued that, even on an anonymised version of this information, suspicions would have been aroused as to A being the source – but suspicion is different from knowledge (see [35]).

Disclosures of even private and confidential personal data is capable of being justified by sufficiently weighty interests – and these are not only in Article 10 ECHR/media publication cases (see the analysis in eg ZXC v Bloomberg) but also in cases of other important interests (as to which, see the other must-read case on this subject, namely the judgment of Nicklin J in Dixon v North Bristol NHS Trust [2022] EWHC 3127 (QB)). But there was no adequate justification here for disclosing this information in a way that identified A as the source.

In any event, the Police had failed to consider the question of anonymising the disclosure. That was not necessarily fatal to its case: the question of whether the disclosure was “necessary” was for the Court, giving such weight as is appropriate to the view of the public authority whose decision is under challenge (at [28]). “But the burden remains on the Police to demonstrate the need to disclose Ms Ali’s identity as the source of the information she gave. When the data controller did not balance the relevant interests at the time of the disclosure, the weight to be accorded to its assessment of necessity will be lower, but it remains in principle open to the Police to show that the disclosure was necessary by ex post facto evidence” (at [29]).

Here, the Police failed to discharge that burden – hence their disclosure was unlawful, contrary to Article 5(1)(a) and (b) GDPR. Interestingly, Chamberlain J also concluded (at [37]) that even if he had been satisfied that the disclosure had been necessary (such that there was no ‘unlawful’ processing for Article 5(1)(a) purposes), he would still have found an Article 5(1)(a) contravention because the Police had not been transparent with A about this disclosure (indeed, she understood that her identity would not be disclosed).

A was not entitled to compensation merely for the fact of a contravention (Lloyd v Google, which applies equally to the GDPR – see [40]), but she clearly did suffer distress in these circumstances. What about causation of that distress? See [49]: “Clearly the Police’s disclosure to Luton was a “but for” cause. But that is not enough on its own. Consideration must be given to whether Ms Begum’s [the Council employee] actions broke the chain of causation”. Chamberlain J cited the relevant questions from Clerk & Lindsell on Torts:

“Was the intervening conduct of the third party such as to render the original wrongdoing merely a part of the history of events? Was the third party’s conduct either deliberate or wholly unreasonable? Was the intervention foreseeable? Is the conduct of the third party wholly independent of the defendant, i.e. does the defendant owe the claimant any responsibility for the conduct of that intervening third party?”

The facts here were certainly tangled: what ultimately hurt Ms A most was that her husband learnt of her disclosure. But that only happened because of the criminal acts of the Council employee. That intervening act broke the causal chain for the Council, and also for the Police: see [50]. It was not fair in these circumstances to fix the Police with the consequences of the actions of that Council employee.

That, however, was not the end of the matter: even without the disclosure by the Council employee to A’s husband, A “would still have suffered some distress if she had been made aware that her identity as the source of the information had been passed to Luton. The Police would have been responsible for that distress. I can see no reason why the Police should be better off than they would have been in that situation merely because of Ms Begum’s subsequent criminal disclosure” (at [51]). So the Police were causally liable for A’s distress to that extent.

As to quantum, Chamberlain J awarded A £3k for that distress, which he noted was “in the bottom half of the range of awards for “less severe psychiatric harm” in the Judicial College Guidelines for the Assessment of General Damages in Personal Injury Cases”.

The Police were liable for misuse of private information also. For that tort, the analysis of compensation differs in principle for that under the GDPR. See [53]: “a successful claimant is entitled to damages to compensate them for the loss or diminution of the right to control the use of their private information independently of any distress caused” (see Gulati and Lloyd). On these facts, however, £3k would have been the right sum to award for both misuse of private information and Article 8 ECHR also (though of course there is no doubling/tripling up for multiple successful heads of claim, so the overall award was £3k).

Robin Hopkins