Quantifying Damages for Breach of Privacy

25 October 2016 by

TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB)

How do you quantify damages for data breaches? Is the distress caused by an accidental data breach comparable to phone-hacking? Should damages for distress be equivalent to damages for psychiatric injuries?

In October 2013, the Home Office published statistics on its family returns process, the means by which children with no right to remain in the UK are sent back to their country of origin. In addition to anonymised statistics uploaded onto the government website, the Home Office mistakenly uploaded the spreadsheet of raw data on which those statistics were based. That spreadsheet included personal details such as names and rough geographical locations of applicants for asylum or leave to remain, though not their addresses. The data was online for 13 days before being removed, but a number of IP addresses in the UK and abroad visited the relevant web page.  Those concerned were notified, and brought claims under the Data Protection Act 1998 and the common law tort of misuse of private information.

As far as privacy breaches go, this appears less sinister than having the contents of your private telephone conversations splashed across the front pages. But consider the effect on these individuals at a time when their residence status is uncertain. Taking one example, an Iranian man – referred to as TLT – had applied for leave to remain with his family. They had been told that a member of their family had been detained in Iran and questioned about them. They reasonably believed that the Iranian authorities would have looked at the published details and, as a result, they feared for their lives if they were returned to Iran, their security in the UK and their extended family in Iran. A significant issue is how to quantify ‘distress’ of that nature for the purposes of claims brought.

Judgment

It was not in dispute that the inadvertent publication of the information constituted misuse of private information and a breach of the first, second and seventh principles of the Data Protection Act. Neither was it in dispute that, following the Court of Appeal decision in Vidal-Hall v Google Inc [2015] EWCA Civ 311, a claimant can recover damages for ‘distress’ for such a breach.

But Mitting J’s judgment is interesting for two reasons. First, it tackled four questions which will provide guidance for similar claims in the future. Secondly, and perhaps more controversially, he considered the quantification of damages for individual breaches in this new and developing area of law.

  1. Can individuals who were not named in the data, but who were identifiable as family members, recover?

Simply, yes. Given that the data related to family asylum or leave to remain applications, Mitting J found that anyone with knowledge of the family would be able to identify the children and other family members from the lead applicant.

  1. Is there a level of distress which is below the threshold for the recovery of damages?

Again, and perhaps unsurprisingly, yes: the de minimis threshold which applies in personal injury cases also applies to data breaches.

  1. Should the courts take guidance from the damages awards in the phone-hacking cases – or, as Mitting J referred to them, “cases involving deliberate dissemination for gain by media publishers or individuals engaged in that trade, such as Max Clifford” [16]?

Without going into any detail, this idea was dismissed by Mitting J. The distress described by the claimants was comparable to a psychiatric injury suffered as a result of an actionable wrong.

  1. Can you recover damages for the loss of the right to control private information?

Yes – a claimant can recover for the loss of control of personal and confidential information but there is no separate and additional award. Rather, the judge takes it into account when making an award for distress.

Damages awards and Gulati

Mitting J made awards ranging from £2,500 to £12,500 for each claimant, using psychiatric and psychological damage cases as guideline comparators after carefully assessing the evidence of the applicants and the distress caused by the data breaches. In Gulati v MGN [2015] EWCA Civ 1291 – one of the phone-hacking cases – the Court of Appeal affirmed the principle that damages for non-pecuniary loss for the misuse of private information should have some “reasonable relationship” with damages for personal injury. Arden LJ explained the reason for this [61]:

“if there is no such consideration or relationship, the reasonable observer may doubt the logic of the law or form the view that the law places a higher value on a person’s right to privacy than it does on (say) a person’s lifelong disability as a result of another’s negligence, and this would bring the law into disrepute and diminish public confidence in the impartiality of the legal system.”

However, this rationale also undermines the very basis on which Mitting J made awards. A claimant in a psychiatric personal injury case must demonstrate that they have suffered a recognised psychiatric injury; simple distress is not sufficient. The awards in TLT take into account the loss of control of private information, but are predominantly awards for distress. None of the individuals were shown to have suffered a recognised psychiatric injury as a consequence of the publication of their details, yet their damages awards were made by comparison to those for recognised and diagnosed psychiatric injury.

In seeking consistency, this judgment sits uncomfortably with psychiatric damage cases. Was Arden LJ’s warning prophetic? If Mitting J’s approach is followed in the future, will the reasonable observer form the view that the law places a higher value on a person’s right to privacy than a lifelong disability?

Oliver Sanders and Michael Deacon of One Crown Office Row acted for the Defendants in this case. This blog post was written independently by Gideon Barth.

3 comments


  1. daveyone1 says:

    Reblogged this on World4Justice : NOW! Lobby Forum..

  2. […] via Quantifying Damages for Breach of Privacy — UK Human Rights Blog […]

  3. […] reviews precedent and the case itself here, and One Crown Office Row zoom in on the case itself here. This case did not involve conflict of laws, however I thought I would highlight it anyway, for it […]

Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editors: Darragh Coffey
Jasper Gold
Editorial Team: Rosalind English
Angus McCullough KC
David Hart KC
Martin Downs
Jim Duffy
Jonathan Metzer

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption ALBA Allison Bailey Al Qaeda animal rights anonymity Appeals Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 7 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos assisted suicide asylum Australia autism benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Catholicism Chagos Islanders Children children's rights China christianity citizenship civil liberties campaigners climate change clinical negligence Coercion common law confidentiality consent conservation constitution contempt of court Control orders Copyright coronavirus Coroners costs court of appeal Court of Protection covid crime Cybersecurity Damages Dartmoor data protection death penalty defamation deportation deprivation of liberty Detention diplomatic immunity disability disclosure Discrimination disease divorce DNA domestic violence duty of candour duty of care ECHR ECtHR Education election Employment Employment Law Employment Tribunal enforcement Environment Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice evidence extradition extraordinary rendition Family Fertility FGM Finance football foreign criminals foreign office France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage Gaza gender genetics Germany gmc Google Grenfell Health high court HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration India Indonesia injunction Inquests international law internet Inuit Iran Iraq Ireland Islam Israel Italy IVF Jalla v Shell Japan Japanese Knotweed Judaism judicial review jury trial JUSTICE Justice and Security Bill Land Reform Law Pod UK legal aid legality Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage Maya Forstater mental capacity Mental Health military Ministry of Justice modern slavery monitoring music Muslim nationality national security NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal Parole patents Pensions Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Private Property Professional Discipline Property proportionality Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries public law Regulatory Proceedings rehabilitation Reith Lectures Religion RightsInfo Right to assembly right to die right to family life Right to Privacy Right to Roam right to swim riots Roma Romania Round Up Royals Russia Saudi Arabia Scotland secrecy secret justice sexual offence sexual orientation Sikhism Smoking social media Social Work South Africa Spain special advocates Sports Standing statelessness Statutory Interpretation stop and search Strasbourg Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture travel treaty TTIP Turkey UK Ukraine UK Supreme Court unduly harsh united nations USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks Wild Camping wind farms WomenInLaw YearInReview Zimbabwe

Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption ALBA Allison Bailey Al Qaeda animal rights anonymity Appeals Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 7 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos assisted suicide asylum Australia autism benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Catholicism Chagos Islanders Children children's rights China christianity citizenship civil liberties campaigners climate change clinical negligence Coercion common law confidentiality consent conservation constitution contempt of court Control orders Copyright coronavirus Coroners costs court of appeal Court of Protection covid crime Cybersecurity Damages Dartmoor data protection death penalty defamation deportation deprivation of liberty Detention diplomatic immunity disability disclosure Discrimination disease divorce DNA domestic violence duty of candour duty of care ECHR ECtHR Education election Employment Employment Law Employment Tribunal enforcement Environment Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice evidence extradition extraordinary rendition Family Fertility FGM Finance football foreign criminals foreign office France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage Gaza gender genetics Germany gmc Google Grenfell Health high court HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration India Indonesia injunction Inquests international law internet Inuit Iran Iraq Ireland Islam Israel Italy IVF Jalla v Shell Japan Japanese Knotweed Judaism judicial review jury trial JUSTICE Justice and Security Bill Land Reform Law Pod UK legal aid legality Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage Maya Forstater mental capacity Mental Health military Ministry of Justice modern slavery monitoring music Muslim nationality national security NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal Parole patents Pensions Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Private Property Professional Discipline Property proportionality Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries public law Regulatory Proceedings rehabilitation Reith Lectures Religion RightsInfo Right to assembly right to die right to family life Right to Privacy Right to Roam right to swim riots Roma Romania Round Up Royals Russia Saudi Arabia Scotland secrecy secret justice sexual offence sexual orientation Sikhism Smoking social media Social Work South Africa Spain special advocates Sports Standing statelessness Statutory Interpretation stop and search Strasbourg Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture travel treaty TTIP Turkey UK Ukraine UK Supreme Court unduly harsh united nations USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks Wild Camping wind farms WomenInLaw YearInReview Zimbabwe
%d bloggers like this: