Damages for Data Protection Act breaches

The High Court has recently awarded £250 for a DPA breach at the “lowest end of spectrum”. Robin Hopkins analyses the ruling.

Just about anyone who works in data protection will probably have asked, or have been asked: what do courts tend to award claimants who suffer data breaches? They will probably also be used to an answer along the lines that ‘it’s quite difficult to say; there isn’t very much case law’. Last week’s judgment of Knowles J in Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) is a helpful contribution to this limited line of authority.

Mr Driver is a well-known figure in local politics in Lancashire. He was a suspect in a police investigation into local government corruption (Operation Sheridan) in 2014, but was told in 2016 that he was no longer a suspect. He made press statements about that fact. However, he was subsequently investigated again under the same police operation, this time for suspected fraud and witness intimidation. A file on him and several others was passed to the CPS to consider possible charges.

In June 2019, in response to an enquiry from a member of the public (who apparently had an axe to grind against the claimant), a CPS official sent an email that did not name the claimant (or anyone else) but said this: “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The recipient later communicated the contents of that email, together with commentary of his own (in which he named Mr Driver) to some others – including, curiously, Jeremy Vine – though there was no evidence that anyone took notice of that email.

Mr Driver, however, did take notice. He took issue with the CPS email of June 2019, which he said caused him distress and so on. Upon his claim, the High Court determined a number of issues of interest.

First, the Court was satisfied that this was not a GDPR claim, but that it instead fell within the law enforcement provisions of the DPA 2018. The making of a statement about charging constituted processing for law enforcement purposes within the meaning of section 31 DPA 2018 (see [89]-[90]).

Secondly, though the CPS named nobody, and referred to a multi-suspect investigation, it was nonetheless held to contain Mr Driver’s personal data. See this conclusion at [101] (my emphasis), following the Judge’s survey of the relevant authorities on the “personal data” issue:

“I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision. This is so whether one takes the ‘biographical approach’ or the ‘obviously about’ approach discussed in Ittihadieh. For anyone, for the police to send a file of evidence about them (whether alone, or with others) for a decision on charge, is a significant life event which very much has him or them as its focus. Ms Khan was right to say the mention of Operation Sheridan in the email was an ‘identifier’. The Claimant accepts that the email in question did not contain his name, however Operation Sheridan only had eight suspects, including the Claimant. The fact that the Claimant was a suspect in Operation Sheridan was already in the public domain at the time of the sending of the email, as I have said, and had been so since March 2016. Personal data can relate to more than one person and does not have to relate exclusively to one data subject, particularly when the group referred to is small.”

This analysis – along with that of Judge Jacobs in the Spivack case last year – is a notable recent application of apparently settled principles to unusual factual matrices.

Thirdly, the CPS initially (i.e. before litigation was afoot) admitted that sending the email constituted a data breach but then argued to the contrary. Knowles J found against them.

There was a breach of the first data protection principle (lawful processing, under the law enforcement provisions of the DPA 2018), as no lawful processing condition could be relied upon to justify the sending of the email. Following another survey of relevant authorities (though one that at times seemed to tilt the analysis in the “strict necessity” direction, which would be questionable on this issue), the Judge reached this conclusion (at [116]):

“I agree with the Claimant’s submission that whilst the Defendant has put forward this purported justification that it had a legitimate purpose of maintaining public confidence in the investigation and prosecution of crime, it has failed to show that there was any necessity – any pressing social need – for this member of the public, on this occasion, to be updated about the case in the way that Ms Graham updated Mr Graham, which resulted in him attempting to (I infer) harm or embarrass the Claimant politically, including by attempting to bring the existence of a charging file to national media attention.”

In this regard, the Judge considered that the recipient of the CPS’ email was arguably a meddlesome busybody without a legitimate interest in receiving this personal data of Mr Driver.

The second data protection principle (purpose limitation) had also been contravened, for the same reasons. So had the sixth (data security), as per the CPS’ initial admission.

Fourthly, the claim for misuse of private information failed. The Judge set out a helpful survey of the relevant authorities, and concluded that this claim failed at the first stage of the McKennitt v Ash principles, i.e. Mr Driver had no reasonable expectation of privacy in respect of the content of the CPS’ email that revealed the fact that it had received and was considering a “charging file”. This was because that fact was already in the public domain through a number of sources: press articles, a separate court judgment, and Mr Driver’s own press release that linked him to an earlier stage of this investigation. See [156]:

“At bottom, this was a very limited disclosure to people who were, I find, overwhelmingly likely already to have known what the situation was, because of earlier widespread reporting. The CPS email therefore added little or nothing to that which was already known. Mr Adams described the disclosure as ‘minimal’, and I am inclined to agree with that description.”

Fifthly, as to remedy, the Judge made a declaration, and also awarded Mr Driver compensation. He was not overly impressed with Mr Driver’s account of what the sending of this email had caused him to suffer, but added that ([168]):

“I am prepared to accept that the Claimant would have experienced a very modest degree of distress upon discovering that the CPS’s email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him. But for the reasons I have given I reject his evidence that it represented some fundamental sea-change in the complexion or likely outcome of Operation Sheridan, such that it could reasonably or properly have caused him anything like the level of anguish which he claimed… “

The conclusion was that ([169]): “Given all of the circumstances, I consider that this data breach was at the lowest end of the spectrum. Taking all matters together in the round, I award the Claimant damages of £250”.

So, quite a lot going on in this judgment – and lots of interesting issues as to how it fits and develops with previous lines of authority – but the most interesting point is probably that bottom line of £250 for a “lowest end of spectrum” data breach that did not involve information with any privacy connotations.

Robin Hopkins is a barrister at 11KBW. This article first appeared in the set’s Panopticon blog.