English High Court awards nominal damages for distress arising from a personal data breach "at the lowest end of the spectrum"
The High Court has confirmed its position as to the award of damages for distress arising out of a personal data breach which was "at the lowest end of the spectrum" – Driver v CPS.
Summary
As the number of personal data breaches in the UK continues to increase, it is important to consider the extent to which a personal data breach will be considered by the Courts to have caused loss or distress to a claimant, so as to justify monetary compensation.
Driver -v- CPS [2022] EWHC 2500 (KB) is the latest case in a series of authorities which considers the de minimis threshold limit above which compensation may be due for distress arising out of a personal data breach. Following the reasoning in Lloyd -v- Google [2018] & [2021], TLT and others -v- Secretary of State for the Home Department [2016] and most recently in Rolfe & Others -v- Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), Justice Knowles held that the Claimant's claim for distress arising out of a personal data breach was made out, but fell "at the lowest end of the spectrum", and therefore only justified damages in the sum of GBP250.
Driver v CPS
Background
The Claimant, Mr Driver, a well-known local politician, was treated initially as a suspect in a police investigation concerning alleged corruption in local government.
In 2016, Mr Driver was notified by the Police that he was no longer a suspect, after which he issued a press release confirming the same. Despite the notification from the Police, the criminal investigation continued and Mr Driver, amongst others, was arrested on suspicion of conspiring to pervert the course of justice.
In 2019, the Crown Prosecution Service (CPS) sent an email to a member of the public in response to a request for an update on the investigation. That email confirmed inter alia that: "[a] charging file has been referred […] to the CPS for consideration". The recipient proceeded to forward that email to several journalists and Mr Driver's political opponents.
Mr Driver claimed that the CPS' email enabled Mr Driver to be identified as the suspect to be charged. On this basis, Mr Driver asserted that the CPS' email: (i) constituted unlawful processing of his personal data contrary to the UK GDPR and/or the Data Protection Act 2018 (DPA 2018); and/or (ii) was a misuse of his private information; and as a result, (iii) caused him significant distress.
High Court Decision
Justice Knowles awarded judgment, in part, for Mr Driver on the basis that the CPS' email constituted an unlawful processing of his personal data. In circumstances where Mr Driver's status as a suspect was already in the public domain, the Court was satisfied that the CPS' email allowed for his identification as one of those individuals in relation to whom a charging decision was to be made.
However, when determining damages and the de minimis threshold, the High Court determined that GBP250 was an adequate award for this data breach, which was, on any analysis, "at the lowest end of the spectrum".
Unlawful processing of personal data
The Court held that Mr Driver's data protection claim was governed by the DPA 2018, not the UK GDPR. Insofar as the CPS' email involved the processing of the claimant's personal data for law enforcement purposes, law enforcement processing was excluded from the scope of the UK GDPR.
The Court determined that the CPS, in sending the email, had breached its duties to comply with several of the data protection principles set out in the DPA 2018, namely:
(a) section 35(1), DPA 2018, which requires any processing caried out for law enforcement purposes to be lawful and fair. The CPS failed to prove that such processing was necessary to the law enforcement in question, particularly in circumstances where the data subject had not consented to the processing;
(b) section 36(1)(b), DPA 2018, which mandates that personal data must not be processed in a manner that is incompatible with the purpose for which it was collected. The CPS were adjudged to have processed Mr Driver's data in a way that was incompatible with the purpose for which it had been collected (i.e., for the purposes of the criminal investigation); and
(c) section 40, DPA 2018, which requires that personal data processed for any law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures. Justice Knowles found that the CPS had no policy in place for dealing with enquiries by individuals about ongoing criminal investigations, and accordingly, the processing was adjudged to have not been carried out in a secure manner.
Distress
Mr Driver alleged that he had suffered significant distress as a result of the CPS' email.
Whilst Justice Knowles accepted that Mr Driver had consulted his GP in 2020, he was unable to conclude that this was as a result of the CPS' email, rather than, for example, the stress of having been under police investigation, by then, for six years. Further, Justice Knowles determined that the email did nothing more than simply repeat what had already been in the public domain.
Justice Knowles held that while "the Claimant would have experienced a very modest degree of distress upon discovering that the CPS' email had been sent to political opponents and the media […] in an effort (as [the judge] finds) to embarrass him", it could not have "reasonably or properly have caused him anything like the level of anguish which he claimed."
Justice Knowles concluded that "[g]iven all of the circumstances, I consider that this data breach was at the lowest end of the spectrum" and awarded damages in the sum of GBP250.
Misuse of private information
The CPS' email was held not to be a misuse of private information as it did not contain information in respect of which Mr Driver had a reasonable expectation of privacy. Although the suspect in a criminal investigation had a reasonable expectation of privacy, Mr Driver could have no such expectation as the investigation had been ongoing for several years and had been widely reported. As discussed above, Mr Driver had himself issued a press release identifying himself as a suspect.
Justice Knowles concluded that Mr Driver had therefore waived his right to privacy in respect of any information relating to the police investigation. Further, the press coverage meant that the minimal disclosure in the CPS' email added little to what was already public knowledge.
Comment
The landmark decision in Lloyd -v- Google Inc [2018] EWHC 2599 (QB) & [2021] UKSC 50 determined that "not everything that happens to a person without their prior consent causes significant or any distress". This made it clear that there is no award of compensation where an infringement is trivial or de minimis.
Following the recent High Court decision in Rolfe & Others -v- Veale Wasbrough Vizards LLP, Driver again re-iterates the Court's desire to dissuade data breach claims which sit on the precipice of the de minimis threshold of seriousness.
In our view, this decision could act to further limit the level of compensation that claimants can seek in such claims. Indeed, insofar as distress exceeding the threshold can be evidenced, Driver indicates that only a nominal sum of damages will be awarded for claims sitting at the lower end of the spectrum.
