Data Breach Damages For ‘Very Modest’ Distress? In the UK?

No comments

Last week, the High Court ordered the Crown Prosecution Service (CPS) to pay £250 in damages to an ex-Conservative council leader who experienced “a very modest degree of distress” following a data breach.

The judgment may surprise UK data protection observers, some of whom saw last April’s Supreme Court case, Lloyd v Google, as signalling bad news for claimants hoping to recover data protection damages in court.

And while the compensation is small, the case serves as a reminder that data protection litigation—even where no financial losses are involved—should be a consideration for UK organisations.

Data Breach Damages For ‘Very Modest’ Distress In the UK

The ‘charging file’

The case was brought by a long-serving member of Lancashire County Council named Geoffrey Driver after the CPS disclosed details of an ongoing fraud investigation in an email to a member of the public.

The fraud investigation, codenamed “Operation Sheridan”, began in 2014 following allegations of corruption among several council members and was followed extensively by the local press.

In 2016, Driver was “completely exonerated” and excluded from the investigation. However, the following year, he faced allegations that he had conspired to pervert the course of justice.

Lancashire Police referred the case to the CPS in August 2018, meaning that the CPS was to decide whether to bring charges against Driver or any of the other people involved.

Ten months later, Paul Graham, a member of the public who was not involved in the investigation but who supposedly had an “axe to grind” about Driver, asked the CPS for an update on Operation Sheridan.

A CPS lawyer emailed Graham confirming that a “charging file” had been referred to the CPS for consideration. Driver took the CPS to court as a result of this email.

Did a data breach occur?

The CPS initially admitted to Driver that sending the email did constitute a data breach.

The CPS considered referring the matter to the Information Commissioner’s Office (ICO) but decided that the breach was not sufficiently serious.

However, by the time of the court case, the CPS had resiled from this claim, arguing instead that the email did not contain Driver’s personal data.

The court did not accept this argument.

While the email did not contain any direct identifiers, the court decided that it did contain personal data as it enabled the recipient to identify Driver as one of the people mentioned in the “charging file”.

Was this a GDPR claim?

Another question for the court was whether any processing of personal data fell was done for law enforcement purposes.

This is important because Article 2(2)(d) of the GDPR excludes processing for law enforcement purposes, which is instead covered by another data protection law, the EU Law Enforcement Directive (LED).

The court determined that the relevant law was the LED, which was implemented in the UK via Parts 1 and 3 of the Data Protection Act 2018. The CPS is a “competent authority” under the DPA 2018.

The case therefore proceeded under the LED rather than the GDPR. However, for our purposes, there is little material difference between the two laws.

Was sending the email lawful?

The CPS, while still denying that it had processed any personal data, maintained that even if the email had contained personal data, the sending of the email would have been lawful.

This defence partly rested on the argument that any processing of personal data would have been necessary for law enforcement purposes—and that, besides this, the details about Operation Sheridan were in the public domain

Driver alleged that the CPS violated the first, second and sixth of the LED’s “data protection principles”, which differ slightly from the principles under the GDPR:

The first principle states that processing for law enforcement purposes must be lawful and fair” (note a difference from the GDPR—no “transparent”). This principle also states that processing for law enforcement purposes is only lawful if either:
- The data subject has given consent for that purpose
- The processing is “necessary for the performance of a task carried out for that purpose by a competent authority”

The second principle is similar to the GDPR’s “purpose specification” principle. The important elements here are that:
- Personal data must be collected for a “specified, explicit and legitimate” law enforcement purpose
- Personal data may be processed for any other law enforcement processing so long as the controller is authorised by law and the processing is “necessary and proportionate”
The sixth principle requires that personal data processed for law enforcement purposes is kept secure

The court found that the CPS had violated all three of these principles.

The main issue was that the sending of the email to a member of the public was not “necessary” for any law enforcement purpose. Obviously, Driver had also not provided consent.

The court also found that the CPS did not have any processes in place that would have prevented the sending of the email. This was deemed to violate the LED’s sixth principle (security).

Did the CPS violate Driver’s human rights or misuse his private information?

While we are focusing on the claimant’s data protection claims, it is worth noting that Driver also alleged that the CPS had broken two other laws.

Driver claimed that the CPS had violated Article 8 of the Human Rights Act 1998 (the “right to respect for private and family life”) and also engaged in the tort of “misuse of private information”.

Unlike Driver’s data protection claims, his claims in human rights and tort law did not succeed.

In relation to the allegation of misuse of private information, the court found that Driver had no reasonable expectation of privacy concerning the details of Operation Sheridan, as much of the information was in the public domain.

Note that, in contrast, the issue of public availability was not deemed directly relevant to the data protection claim.

The human rights claim was subject to a 12-month limitation period which had expired—but could have been extended at the court’s discretion.

However, having established that Driver had no reasonable expectation of privacy in the misuse of private information claim, the judge declined to extend this period. Therefore, the human rights claim also failed.

Distress and data protection litigation

Both the GDPR and the LED require EU member states (which, of course, once included the UK) to enable data subjects to be compensated if they have “suffered material or non-material damage as a result of an unlawful processing operation”.

This is dealt with in the UK via the DPA 2018, Section 169 of which covers “compensation for contravention of other data protection legislation” (in this case, Part 3 of the DPA which implements the LED).

Section 168(1) of the DPA 2018 specifies that “‘non-material damage’ includes distress”.

However, there has been considerable discussion recently regarding what constitutes compensatable distress under the GDPR.

Firstly, it is worth noting that the landmark Supreme Court case of Lloyd v Google did have significant implications for those hoping to claim damages for data protection violations in the UK. However, the case is not directly relevant here.

Lloyd was a class action claim, and the claimants did not cite distress but “loss of control” of their personal data.

Secondly, an Opinion from EU Advocate General earlier this month considered the threshold for non-material damages under the GDPR, stating that “annoyance” or “upset” did not qualify.

This Opinion is worth noting in the present context but is not binding in the UK (or even in the EU, where the matter will be dealt with at the Court of Justice).

Did the claimant suffer “non-material” damage as a result of his distress?

Driver’s claim for distress, while successful, was relatively weak due to a number of factors.

The claimant’s distress claim mostly hinged on the use of the words “charging file” in the CPS’s email, which he wrongly interpreted as implying that he had been charged with an offence. The judge did not consider this interpretation to be reasonable.

To support his claim for distress, the claimant cited the fact that he visited his doctor in 2020 and was prescribed anti-anxiety medication.

The judge saw no evidence that the data breach was the specific cause of Driver’s anxiety “rather than… the stress of having been under police investigation, by then, for six years or so.”

The claimant also lacked medical evidence and chose not to pursue a claim for personal injury as part of his “misuse of private information” claim.

The judge was also sceptical of Driver’s claims about the extent of his distress, denying that the data breach could have reasonably caused the claimant “anything like the level of anguish which he claimed”.

Nonetheless, the court awarded Driver damages of £250—a very small sum, but a reminder of the risk of data protection litigation for UK organisations.