Court of Appeal considers damages for privacy breaches – data protection to follow suit?

This week, the Court of Appeal is grappling with a difficult and important question: how do you value an invasion of privacy? In other words, where someone has suffered a breach of their privacy rights, how do you go about determining the compensation they should receive?

The appeal is brought by MGN against the judgment of Mann J in Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch). That judgment concerned victims of blagging and phone-hacking (including Paul Gascoigne, Sadie Frost and Alan Yentob) for which Mirror Group Newspapers was held responsible.

Mann J awarded the claimants compensation ranging between £85,000 and £260,250. His judgment was ground-breaking, in part due to the size of those awards. (By way of comparison, the previous highest award in a privacy case had been made to Max Mosely, in the region of £60,000 – but most awards have been much lower).

It was also ground-breaking in terms of the methodology adopted to calculate quantum for privacy breaches. Here is how Mann J summarised the rival arguments (paragraph 108; I have underlined the components put forward by the claimants):

“… The case of the claimants is that the compensation should have several elements.  There is compensation for loss of privacy or “autonomy” resulting from the hacking or blagging that went on; there is compensation for injury to feelings (including distress); and there is compensation for “damage or affront to dignity or standing”.  The defendant disputes this and submits that all that can be compensated for is distress or injury to feelings…  It is accepted that such things as loss of autonomy are relevant, but only as causes of the distress which is then compensated for.  They are not capable of sustaining separate heads of compensation…”

As is clear from that synopsis, the debate is not just about money, observable cause-and-effect or hard-edged law. The debate also has difficult philosophical and ethical dimensions. It seems that neither society nor the law (which sometimes overlap) has yet got to the bottom of what it really means to have one’s privacy invaded.

In any event, Mann J certainly did his bit to progress that debate. He preferred the analysis of the claimants – hence the large awards they received. See for example his paragraphs 143-144:

“… The tort is not a right to be prevented from upset in a particular way.  It is a right to have one’s privacy respected.  Misappropriating (misusing) private information without causing “upset” is still a wrong.  I fail to see why it should not, of itself, attract damages.  Otherwise the right becomes empty, contrary to what the European jurisprudence requires.  Upset adds another basis for damages; it does not provide the only basis. I shall therefore approach the consideration of quantum in this case on the footing that compensation can be given for things other than distress, and in particular can be given for the commission of the wrong itself so far as that commission impacts on the values protected by the right.”

The Court of Appeal’s judgment in MGN’s appeal will have a huge impact on the size of awards in privacy cases, and thereby on the privacy litigation landscape itself. It will also no doubt contribute to our understanding of how 21st-century society values (or ought to value) privacy.

What impact will it have on compensation under section 13 of the Data Protection Act 1998?

As with privacy compensation, data protection compensation is having a revolutionary year: see the striking down of section 13(2) in Vidal-Hall v Google [2015] EWCA Civ 311. Traditionally, few people brought claims under section 13 DPA, because it was assumed that they could only be compensated for distress (their primary complaint) if they also suffered financial loss (which mostly they hadn’t). Vidal-Hall overturned that: you can be compensated for distress alone under section 13 DPA. This point will be considered by the Supreme Court next year, but for now, the removal of this barrier to successful section 13 claims is hugely important.

Another barrier, however, lingers: section 13 DPA awards tend to be discouragingly low, from a claimant’s perspective. See most crucially Halliday v Creation Consumer Finance [2013] EWCA Civ 333 (where an award for £750 was made): “the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation…” (per Arden LJ at paragraph 36).

Increasingly, however, case law emphasises the intimate relationship between data protection and fundamental privacy rights: see for example Vidal-Hall, and last year’s ‘right to be forgotten’ judgment in the Google Spain case.

So, if Mann J’s wide, claimant-friendly approach to quantifying damages is upheld in the privacy context, how long before the same approach infiltrates data protection litigation?

Robin Hopkins @hopkinsrobin

Loss of personal data: £20k award upheld on appeal

If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).

All of that is very comforting for data controllers who run into difficulties.

That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.

These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54.

The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.

The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.

Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.

The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.

CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.

Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):

“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”

Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:

(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.

(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).

(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.

Robin Hopkins @hopkinsrobin

Section 13 DPA in the High Court: nominal damage plus four-figure distress award

Given the paucity of case law, it is notoriously difficult to estimate likely awards of compensation under section 13 of the Data Protection Act 1998 for breaches of that Act. It is also very difficult to assess any trends in compensation awards over time.

AB v MoJ [2014] EWHC 1847 (QB) is the Courts’ (Mr Justice Jeremy Baker) latest consideration of compensation under the DPA. The factual background involves protracted correspondence involving numerous subject access requests. Ultimately, it was held that the Defendant failed to provide certain documents to which the Claimant was entitled under section 7 of the DPA within the time frames set out under that section.

Personal data?

There was a dispute as to whether one particular document contained the Claimant’s ‘personal data’. Baker J noted the arguments from Common Services Agency, and he is not the first to observe (at his paragraph 50) that it is sometimes not a ‘straightforward issue’ to determine whether or not information comes within the statutory definition of personal data. Ultimately, he considered that the disputed document did not come within that definition: it “is in wholly neutral terms, and is indeed merely a conduit for the provision of information contained in the letters which it enclosed which certainly did contain the claimant’s personal data”.

Nonetheless, the DPA had been breached in virtue of the delays in the provision of other information to which the Claimant was entitled under section 7. What compensation should he be awarded?

Damage under section 13(1) DPA

Baker J was satisfied, having considered In Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, [2013] 2 Info LR 85 (where the same point was conceded), that nominal damage sufficed as ‘damage’ for section 13(1) purposes: “In this regard the word “damage” in this sub-section is not qualified in any way, such that to my mind provided that there has, as in this case, been some relevant loss, then an individual who has also suffered relevant distress is entitled to an award of compensation in respect of it”.

Here the Court was satisfied that nominal damages should be awarded. The Claimant had spent a lot of time pursuing his requests, albeit that much of that time also involved pursuing requests on clients’ behalves, and albeit that no actual loss had been quantified:

“Essentially the claimant is a professional man who, it is apparent from his witness statement, has expended a considerable amount of time and expense in the pursuit of the disclosure of his and others’ data from various Government Departments and other public bodies, including the disclosed and withheld material from the defendant. Having said that, the claimant has not sought to quantify his time and expense, nor has he allocated it between the various requests on his own and others’ behalves. In these circumstances, although I am satisfied that he has suffered damage in accordance with s.13(1) of the DPA 1998, I consider that this is a case in which an award of nominal damages is appropriate under this head, which will be in the conventional sum of £1.00.”

Distress under section 13(2) DPA

That finding opened the door to an award for distress. The Court found that distress had been suffered, although it was difficult to disentangle his distress attributable to the breaches of the DPA from his distress as to the other surrounding circumstances: “doing the best I am able to on the evidence before me I consider that any award of compensation for distress caused as a result of the relevant delays in this case, should be in the sum of £2,250.00”.

Until this week, Halliday was the Courts’ last reported (on Panopticon at any rate) award of compensation under section 13 DPA. That was 14 months ago. In AB, the Court awarded precisely triple that sum for distress.

For a further (and quicker-off-the-mark) discussion of AB, see this post on Jon Baines’ blog, Information Rights and Wrongs.

Robin Hopkins @hopkinsrobin

Damages under section 13 DPA: Court of Appeal’s judgment in Halliday

I blogged a while ago about the ex tempore judgment from the Court of Appeal in a potentially groundbreaking case on damages under section 13 of the DPA, namely Halliday v Creation Consumer Finance [2013] EWCA Civ 333. The point of potential importance was that ‘nominal damages’ appeared to suffice for the purposes of section 13(1), thereby opening up section 13(2). In short, the point is that claimants under the DPA cannot be compensated for distress unless they have also suffered financial harm. A ‘nominal damages’ approach to the concept of financial harm threatened to make the DPA’s compensation regime dramatically more claimant-friendly.

The Court of Appeal’s full judgment is now available. As pointed out on Jon Baines’ blog, ground has not been broken: the ‘nominal damages’ point was a concession by the defendant rather than a determination by the Court. See paragraph 3 of the judgment of Lady Justice Arden:

“… this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998.”

Other potentially important points have also fallen somewhat flat. The question of whether UK law provided an adequate remedy for a breach of a right conferred by a European Directive fell away on the facts (“proof fell short in relation to the question of damage to reputation and credit”), while the provision for sanctions under Article 24 of Directive 95/46/EC was neither directly enforceable to Mr Halliday nor of assistance to him.

Still, the judgment is not without its notable points.

One is the recognition that compensation for harm suffered is a distinct matter from penalties for wrongdoing; the former is a matter for the courts in the DPA context, the latter a matter for the Information Commissioner and his monetary penalty powers. Such was the implication of paragraph 11:

“… it is not the function of the civil court, unless specifically provided for, to impose sanctions. That is done in other parts of the judicial system.”

Another point worth noting is Lady Justice Arden’s analysis of distress and the causation thereof. The distress must be caused by the breach, not by other factors such as (in this case) a failure to comply with a court order. See paragraph 20:

“Focusing on subsection (2), it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act. In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements. It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act.”

The claimant had sought to draw an analogy with guidelines and banding for discrimination awards as set by Vento v Chief Constable of West Yorkshire Police [2013] 1 ICR 31. The Court of Appeal was not attracted. See paragraph 26:

“In answer to that point, the field of discrimination is, it seems to me, not a helpful guide for the purposes of data protection. Discrimination is generally accompanied by loss of equality of opportunity with far-reaching effects and is liable to cause distinct and well-known distress to the complainant.”

Finally, Lady Justice Arden commented as follows concerning the level of the compensation to be awarded on the facts of this case: “in my judgment the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation, and thus I would consider it sufficient to render an award in the sum of £750” (paragraph 36).

Lord Justice Lloyd (who, along with Mr Justice Ryder agreed with Lady Justice Arden) did pause to think about a submission on this question ‘if you were so distressed, why did you not complain immediately?’, but concluded that (paragraph 47):

“I confess that I was somewhat impressed at one point by Mr Capon’s submission that it was a surprise, if Mr Halliday was so distressed by this contravention, that he did not immediately protest upon discovering, in response to his first credit reference enquiry, the fact of the contravention, and indeed he did not protest until about a month after the second report had been obtained. But I bear in mind, in response to that, Mr Halliday’s comment that he had had such difficulty in getting any sensible response, or indeed any response, out of CCF at the earlier stage, that it is perhaps less surprising that he did not immediately protest. In any event, the period in question is not a very lengthy one between his discovery of the contravention by his first reference request and his taking action in July. Accordingly, it does not seem to me that that is a matter that should be taken to reduce my assessment of the degree of distress that he suffered.”

Robin Hopkins