Quantifying Damages for Breach of Privacy

25 October 2016 by

TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB)

How do you quantify damages for data breaches? Is the distress caused by an accidental data breach comparable to phone-hacking? Should damages for distress be equivalent to damages for psychiatric injuries?

In October 2013, the Home Office published statistics on its family returns process, the means by which children with no right to remain in the UK are sent back to their country of origin. In addition to anonymised statistics uploaded onto the government website, the Home Office mistakenly uploaded the spreadsheet of raw data on which those statistics were based. That spreadsheet included personal details such as names and rough geographical locations of applicants for asylum or leave to remain, though not their addresses. The data was online for 13 days before being removed, but a number of IP addresses in the UK and abroad visited the relevant web page.  Those concerned were notified, and brought claims under the Data Protection Act 1998 and the common law tort of misuse of private information.

As far as privacy breaches go, this appears less sinister than having the contents of your private telephone conversations splashed across the front pages. But consider the effect on these individuals at a time when their residence status is uncertain. Taking one example, an Iranian man – referred to as TLT – had applied for leave to remain with his family. They had been told that a member of their family had been detained in Iran and questioned about them. They reasonably believed that the Iranian authorities would have looked at the published details and, as a result, they feared for their lives if they were returned to Iran, their security in the UK and their extended family in Iran. A significant issue is how to quantify ‘distress’ of that nature for the purposes of claims brought.

Judgment

It was not in dispute that the inadvertent publication of the information constituted misuse of private information and a breach of the first, second and seventh principles of the Data Protection Act. Neither was it in dispute that, following the Court of Appeal decision in Vidal-Hall v Google Inc [2015] EWCA Civ 311, a claimant can recover damages for ‘distress’ for such a breach.

But Mitting J’s judgment is interesting for two reasons. First, it tackled four questions which will provide guidance for similar claims in the future. Secondly, and perhaps more controversially, he considered the quantification of damages for individual breaches in this new and developing area of law.

  1. Can individuals who were not named in the data, but who were identifiable as family members, recover?

Simply, yes. Given that the data related to family asylum or leave to remain applications, Mitting J found that anyone with knowledge of the family would be able to identify the children and other family members from the lead applicant.

  1. Is there a level of distress which is below the threshold for the recovery of damages?

Again, and perhaps unsurprisingly, yes: the de minimis threshold which applies in personal injury cases also applies to data breaches.

  1. Should the courts take guidance from the damages awards in the phone-hacking cases – or, as Mitting J referred to them, “cases involving deliberate dissemination for gain by media publishers or individuals engaged in that trade, such as Max Clifford” [16]?

Without going into any detail, this idea was dismissed by Mitting J. The distress described by the claimants was comparable to a psychiatric injury suffered as a result of an actionable wrong.

  1. Can you recover damages for the loss of the right to control private information?

Yes – a claimant can recover for the loss of control of personal and confidential information but there is no separate and additional award. Rather, the judge takes it into account when making an award for distress.

Damages awards and Gulati

Mitting J made awards ranging from £2,500 to £12,500 for each claimant, using psychiatric and psychological damage cases as guideline comparators after carefully assessing the evidence of the applicants and the distress caused by the data breaches. In Gulati v MGN [2015] EWCA Civ 1291 – one of the phone-hacking cases – the Court of Appeal affirmed the principle that damages for non-pecuniary loss for the misuse of private information should have some “reasonable relationship” with damages for personal injury. Arden LJ explained the reason for this [61]:

“if there is no such consideration or relationship, the reasonable observer may doubt the logic of the law or form the view that the law places a higher value on a person’s right to privacy than it does on (say) a person’s lifelong disability as a result of another’s negligence, and this would bring the law into disrepute and diminish public confidence in the impartiality of the legal system.”

However, this rationale also undermines the very basis on which Mitting J made awards. A claimant in a psychiatric personal injury case must demonstrate that they have suffered a recognised psychiatric injury; simple distress is not sufficient. The awards in TLT take into account the loss of control of private information, but are predominantly awards for distress. None of the individuals were shown to have suffered a recognised psychiatric injury as a consequence of the publication of their details, yet their damages awards were made by comparison to those for recognised and diagnosed psychiatric injury.

In seeking consistency, this judgment sits uncomfortably with psychiatric damage cases. Was Arden LJ’s warning prophetic? If Mitting J’s approach is followed in the future, will the reasonable observer form the view that the law places a higher value on a person’s right to privacy than a lifelong disability?

Oliver Sanders and Michael Deacon of One Crown Office Row acted for the Defendants in this case. This blog post was written independently by Gideon Barth.

3 comments


  1. daveyone1 says:

    Reblogged this on World4Justice : NOW! Lobby Forum..

  2. […] via Quantifying Damages for Breach of Privacy — UK Human Rights Blog […]

  3. […] reviews precedent and the case itself here, and One Crown Office Row zoom in on the case itself here. This case did not involve conflict of laws, however I thought I would highlight it anyway, for it […]

Comments are closed.

Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus coronavirus act 2020 costs costs budgets Court of Protection covid crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy Professional Discipline Property proportionality prosecutions Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe

Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: