The English High Court has recently awarded damages in a data privacy case, with two features of particular interest1. First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation. Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.
In this alert, we look at the background to the case and explore these noteworthy features and other aspects of the case that data controllers should be aware of.
The case relates to the so-called "Trump Dossier" (the "Dossier"), an intelligence memorandum prepared by Cristopher Steele, the principal of Orbis Business Intelligence Limited (" Orbis"), on links between Russia, Vladimir Putin and President Trump. It was brought under the Data Protection Act 1998 (the "DPA", since replaced by the Data Protection Act 2018, which implemented the General Data Protection Regulation ((EU) 2016/679) (GDPR) in the UK) by Petr Aven, Mikhail Fridman and German Khan, seeking damages and other remedies from Orbis for inaccurate, unlawful or unfair processing of personal data.
Orbis was instructed, on behalf of individuals in the Democratic Party, to prepare the Dossier. It included allegations about the claimants, including that they or their organisation (the Alfa Group) did "significant favours" for Mr Putin, and were involved with "illicit cash".
Though the claimants have pursued defamation or libel cases against Orbis and/or Mr Steele in the US, some of which are still ongoing, they did not bring such a claim in the UK. Instead, they sought redress in the English court only under the DPA, for breaches of the First Principle (which requires processing of personal data be, inter alia, fair and lawful) and the Fourth Principle (which requires that data be accurate).
In its defence, Orbis denied that all of the data was personal data and that the allegation relating to "illicit cash" was sensitive personal data and further denied that t he information was inaccurate. It also relied, inter alia, on the provisions of the DPA that exempt processing
(i) where it is necessary for the purpose of prospective legal proceedings, or obtaining legal advice (the "Legal Purposes Exemption")), and (ii) where it is required to safeguard national security (the "National Security Exemption").
In his judgment, Mr Justice Warby made the following findings:
- That the allegations made against the claimants were their personal data and the allegation regarding "illicit cash" was sensitive personal data as it was an allegation of a criminal offence, even though the Dossier did not identify a specific criminal offence. He reached this conclusion by finding that the correct approach is to look at the source as a wh ole, rather than splitting out each sentence, and when interpreting specific elements, doing so as they would be interpreted by an ordinary reader.
- On the facts, the Legal Purposes Exemption was met; however, although Orbis was exempt from the requirement to notify the claimants, the Fourth Principle still applied. The Legal Purposes Exemption is a not a wholesale exemption for a data controller from complying with the data protection principles. Therefore, Orbis could not avoid liability for inaccurate processing where it could not show that it had taken reasonable steps to ensure its accuracy.
- Similarly, the National Security Exemption did exempt the data controller from any notification requirements, but did not relieve liability in respect of the Fir st and Fourth Principles.
- The principles established in defamation cases on the question of whether the data was fact or opinion were applicable, finding that the allegations (including the allegation regarding "illicit cash") were factual and therefore could be verified.
- For each of the allegations, apart from one, Orbis/Steele had taken reasonable steps to ensure their accuracy. However, for the most serious allegation, regarding "illicit cash", reasonable steps had not been taken to ensure accuracy as this allegation of serial criminal wrongdoing against two of the claimants had only a single source, was reliant on hearsay and had not been adequately verified.
The judge concluded that Orbis was therefore liable for inaccurate processing of the allegati on regarding "illicit cash", and awarded 18,000 in compensation to each of the first and second claimants. He found that the court was free to award damages for reputational harm in claims brought solely under the DPA, and adopted an approach to damages from the law of defamation. He also found that the claimants had suffered distress, despite "each of the claimants [being] a robust character, not given to undue self-pity". Moreover, no consideration was given to the award relative to other awards for distress in data protection cases, despite this award being significantly higher than awards in previous cases.
The decision highlights an unusual use of data protection in English law, as a freestanding form of quasi-defamation claim, as the claimants sought damages for reputational harm (as well as distress) solely under the DPA rather than in a libel or defamation claim, or in parallel with such a claim. It also sets a potentially unhelpful precedent by awarding two of the claimants 18,000 each for inaccurate processing of their personal data, an amount that is significantly higher than has been awarded in other data protection cases brought under the DPA. If such awards were to be made in the context of a class action, the potential liability for data controllers could be significant. The outcome of the Supreme Court appeal in Lloyd v Google is keenly awaited as to whether such actions can be brought in England (see our update here).