In the case of Driver v CPS the UK High Court awarded a significantly low amount of damages for minor distress suffered as the result of an infringement of data protection rules. Although this case was decided in the autumn of last year it serves as a useful reminder that courts continue to push back on data compensation cases. This article sets out highlights of the ruling.
What’s this all about?
The individual in question was a local politician who had been under police investigation for some time as part of a much publicised anti-corruption operation. Although the individual had never actually been named publicly by the police in their investigation there was plenty of material in the public domain linking the individual to the investigation.
When the investigation was concluded the police provided their file to the Crown Prosecution Service (the CPS) to decide whether to bring criminal charges against eight suspects, including the individual in question. A member of the public with no connection to either the individual or the investigation sent an email to the CPS requesting an update about the case. The CPS responded by email to the member of the public stating that the CPS had received “a charging file” for the CPS’ “consideration” – the individual in question was not named or referred to in the CPS’ email. The member of the public in question later disseminated this response to various politicians and journalists, copying in the individual in question.
The individual in question complained to the CPS about this who stated that their action in sending their email constituted a data breach, for which they apologised. The individual then brought legal proceedings against the CPS including for breach of the (UK) Data Protection Act 2018 (DPA 2018) seeking £2,000 in damages for distress purportedly caused to the individual. The CPS denied all the allegations and revoked their earlier data breach admission, mainly on the basis that the CPS’ email did not contain the individual’s personal data.
What was the court’s ruling?
As regards the data protection aspects the court ruled as follows:
- The email did contain personal data as it indirectly allowed the individual to be identified as one of the people involved in the investigation – it was already in the public domain that the individual had been a suspect in the investigation for some years;
- Personal data does not need to exclusively relate to one individual when the group referred to is small, as was the case here;
- There had been a data breach (of three of the data principles under the DPA 2018) – the CPS had no reason to share the information with an unconnected member of the public (until a charging decision had been taken) and the CPS had not shown that it had appropriate organisational measures in place to prevent unauthorised or unlawful processing of personal data;
- But, the individual was only awarded a total of £250 (about $310 & €285) in damages as the data breach was, according to the court, at “the lowest end of the spectrum”. The individual’s claims that the email from the CPS led him to believe that he would be charged and that he suffered anxiety and depression as a result were rejected by the court. Instead, according to the court, “on no reasonable view” could the CPS’ email have presented any “significant development” or a “significant change” – “the email did no more than repeat that which had been in the public domain”. According to the judge, the individual “would have experienced a very modest degree of distress upon discovering that the CPS’s email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him”.
What are the takeaways?
This case sends out a clear message that minor matters are likely to only attract low awards of compensation at best. This said, organisations shouldn’t rest on their laurels – considerations for organisations in general include the following:
- Making staff and the Board aware of both individual and class-action claim risks for alleged data protection breaches;
- Setting up and undertaking regular compliance audits or reviews in order to identify, rectify and prevent issues that could involve either an individual claim or a class-action claim;
- Checking the liability provisions in vendor agreements and revise them where appropriate;
- Considering looking into insurance cover issues; and,
- In case they are on the receiving end of a claim they should act quickly!
We have written about data protection compensation cases here https://www.corderycompliance.com/smith-vs-talktalk/, here https://www.corderycompliance.com/ecrca-dpc/, here https://www.corderycompliance.com/thebountycase/, here https://www.corderycompliance.com/ali-v-luton-rogue-employee/, here https://www.corderycompliance.com/dp-infringement-stadler-currys, here https://www.corderycompliance.com/damages-minor-dp-infringement/, and here https://www.corderycompliance.com/lloyd-v-google-ruling/.
We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The UK High Court’s judgment can be found here: https://www.bailii.org/ew/cases/EWHC/KB/2022/2500.html
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|