TLT and others v Secretary of State for the Home Department  EWHC 2217 (QB)
How do you quantify damages for data breaches? Is the distress caused by an accidental data breach comparable to phone-hacking? Should damages for distress be equivalent to damages for psychiatric injuries?
In October 2013, the Home Office published statistics on its family returns process, the means by which children with no right to remain in the UK are sent back to their country of origin. In addition to anonymised statistics uploaded onto the government website, the Home Office mistakenly uploaded the spreadsheet of raw data on which those statistics were based. That spreadsheet included personal details such as names and rough geographical locations of applicants for asylum or leave to remain, though not their addresses. The data was online for 13 days before being removed, but a number of IP addresses in the UK and abroad visited the relevant web page. Those concerned were notified, and brought claims under the Data Protection Act 1998 and the common law tort of misuse of private information.
As far as privacy breaches go, this appears less sinister than having the contents of your private telephone conversations splashed across the front pages. But consider the effect on these individuals at a time when their residence status is uncertain. Taking one example, an Iranian man – referred to as TLT – had applied for leave to remain with his family. They had been told that a member of their family had been detained in Iran and questioned about them. They reasonably believed that the Iranian authorities would have looked at the published details and, as a result, they feared for their lives if they were returned to Iran, their security in the UK and their extended family in Iran. A significant issue is how to quantify ‘distress’ of that nature for the purposes of claims brought.
It was not in dispute that the inadvertent publication of the information constituted misuse of private information and a breach of the first, second and seventh principles of the Data Protection Act. Neither was it in dispute that, following the Court of Appeal decision in Vidal-Hall v Google Inc  EWCA Civ 311, a claimant can recover damages for ‘distress’ for such a breach.
But Mitting J’s judgment is interesting for two reasons. First, it tackled four questions which will provide guidance for similar claims in the future. Secondly, and perhaps more controversially, he considered the quantification of damages for individual breaches in this new and developing area of law.
- Can individuals who were not named in the data, but who were identifiable as family members, recover?
Simply, yes. Given that the data related to family asylum or leave to remain applications, Mitting J found that anyone with knowledge of the family would be able to identify the children and other family members from the lead applicant.
- Is there a level of distress which is below the threshold for the recovery of damages?
Again, and perhaps unsurprisingly, yes: the de minimis threshold which applies in personal injury cases also applies to data breaches.
- Should the courts take guidance from the damages awards in the phone-hacking cases – or, as Mitting J referred to them, “cases involving deliberate dissemination for gain by media publishers or individuals engaged in that trade, such as Max Clifford” ?
Without going into any detail, this idea was dismissed by Mitting J. The distress described by the claimants was comparable to a psychiatric injury suffered as a result of an actionable wrong.
- Can you recover damages for the loss of the right to control private information?
Yes – a claimant can recover for the loss of control of personal and confidential information but there is no separate and additional award. Rather, the judge takes it into account when making an award for distress.
Damages awards and Gulati
Mitting J made awards ranging from £2,500 to £12,500 for each claimant, using psychiatric and psychological damage cases as guideline comparators after carefully assessing the evidence of the applicants and the distress caused by the data breaches. In Gulati v MGN  EWCA Civ 1291 – one of the phone-hacking cases – the Court of Appeal affirmed the principle that damages for non-pecuniary loss for the misuse of private information should have some “reasonable relationship” with damages for personal injury. Arden LJ explained the reason for this :
“if there is no such consideration or relationship, the reasonable observer may doubt the logic of the law or form the view that the law places a higher value on a person’s right to privacy than it does on (say) a person’s lifelong disability as a result of another’s negligence, and this would bring the law into disrepute and diminish public confidence in the impartiality of the legal system.”
However, this rationale also undermines the very basis on which Mitting J made awards. A claimant in a psychiatric personal injury case must demonstrate that they have suffered a recognised psychiatric injury; simple distress is not sufficient. The awards in TLT take into account the loss of control of private information, but are predominantly awards for distress. None of the individuals were shown to have suffered a recognised psychiatric injury as a consequence of the publication of their details, yet their damages awards were made by comparison to those for recognised and diagnosed psychiatric injury.
In seeking consistency, this judgment sits uncomfortably with psychiatric damage cases. Was Arden LJ’s warning prophetic? If Mitting J’s approach is followed in the future, will the reasonable observer form the view that the law places a higher value on a person’s right to privacy than a lifelong disability?
Oliver Sanders and Michael Deacon of One Crown Office Row acted for the Defendants in this case. This blog post was written independently by Gideon Barth.