The English High Court has recently awarded damages in a data privacy case, with two features of particular interest.  First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation.  Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.

The decision highlights an unusual use of data protection in English law, as a freestanding form of quasi-defamation claim, as the claimants sought damages for reputational harm (as well as distress) solely under the Data Protection Act 1998 (the “DPA”, since replaced by the Data Protection Act 2018, which implemented the General Data Protection Regulation ((EU) 2016/679) (GDPR) in the UK) rather than in a libel or defamation claim, or in parallel with such a claim.  It also sets a potentially unhelpful precedent by awarding two of the claimants £18,000 each for inaccurate processing of their personal data, an amount that is significantly higher than has been awarded in other data protection cases brought under the DPA.  If such awards were to be made in the context of a class action, the potential liability for data controllers could be significant.

In short, the case relates to the so-called “Trump Dossier” (the “Dossier”), an intelligence memorandum prepared by Cristopher Steele, the principal of Orbis Business Intelligence Limited (“Orbis”), on links between Russia, Vladimir Putin and President Trump.  The claim was brought by three individuals named in the Dossier under the DPA.  The Dossier included allegations about the claimants, including that they or their organization (the Alfa Group) did “significant favours” for Mr. Putin, and were involved with “illicit cash.”

The claimants sought redress in the English court only under the DPA, for breaches of the First Principle (which requires processing of personal data be, inter alia, fair and lawful) and the Fourth Principle (which requires that data be accurate), and did not pursue defamation claims in the UK, though they have done so in the U.S.

Orbis denied that all of the data was personal data and that the allegation relating to “illicit cash” was sensitive personal data and further denied that the information was inaccurate.  It also relied, inter alia, on the provisions of the DPA that exempt processing (i) where it is necessary for the purpose of prospective legal proceedings, or obtaining legal advice, and (ii) where it is required to safeguard national security.

In his judgment, Mr. Justice Warby made the following findings:

  • By looking at the source as whole, interpreting as an ordinary reader would, the allegations made against the claimants were their personal data and the allegation regarding “illicit cash” was sensitive personal data as it was an allegation of a criminal offence, even though the Dossier did not identify a specific criminal offence.
  • Orbis could not rely wholly on either exemption in its compliance with data protection principles and therefore Orbis could not avoid liability for inaccurate processing where it could not show that it had taken reasonable steps to ensure its accuracy.
  • The principles established in defamation cases on the question of whether the data was fact or opinion were applicable, finding that the allegations (including the allegation regarding “illicit cash”) were factual and therefore could be verified.
  • For each of the allegations, apart from one, Orbis/Steele had taken reasonable steps to ensure their accuracy.  However, for the most serious allegation, regarding “illicit cash,” reasonable steps had not been taken to ensure accuracy as this allegation of serial criminal wrongdoing against two of the claimants had only a single source, was reliant on hearsay, and had not been adequately verified.

The judge concluded that Orbis was therefore liable for inaccurate processing of the allegation regarding “illicit cash”, and awarded £18,000 in compensation to each of the first and second claimants.  He found that the court was free to award damages for reputational harm in claims brought solely under the DPA, and adopted an approach to damages from the law of defamation, giving no consideration as to the award relative to other awards for distress in data protection cases, despite this award being significantly higher than awards in previous cases.

Print:
EmailTweetLikeLinkedIn
Photo of Louise Freeman Louise Freeman

Louise Freeman focuses on complex commercial disputes, and co-chairs the firm’s Commercial Litigation Practice Group. Described by Legal 500 as “one of London’s most effective partners,” Ms. Freeman helps clients to navigate challenging situations in a range of industries, including financial markets, technology…

Louise Freeman focuses on complex commercial disputes, and co-chairs the firm’s Commercial Litigation Practice Group. Described by Legal 500 as “one of London’s most effective partners,” Ms. Freeman helps clients to navigate challenging situations in a range of industries, including financial markets, technology and life sciences. Most of her cases involve multiple parties and jurisdictions, where her strategic, dynamic advice is invaluable.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of Katharine Kinchlea Katharine Kinchlea

Katharine Kinchlea’s practice focuses on data protection, information technology and trade laws, and encompasses regulatory compliance and policy advisory work.