In the recently reported case of Geoffrey Driver v Crown Prosecution Service [2022] EWHC 2500 (KB), the High Court awarded a claimant only £250 in damages to remedy his very modest distress following a data breach “at the lowest end of the spectrum”. In an area where there has been limited guidance from the courts on quantum, the decision in Driver provides a helpful benchmark for what claimants can expect to receive in damages for data breaches when they can establish only modest distress.

The facts

The Claimant, Mr Driver, was a well-known politician in the Lancashire area and, in 2014, he became a suspect in a widely publicised local government corruption investigation labelled Operation Sheridan. In 2016, Mr Driver was told he was no longer a suspect, but the operation continued, and he was subsequently arrested for conspiring to pervert the course of justice. Lancashire Police referred his file to the CPS for them to consider charges.

In June 2019, a CPS lawyer sent an email in response to an enquiry from a member of the public providing an update on Operation Sheridan. The email confirmed that: “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The individual later passed on the contents of the email to other parties, alongside his own commentary where he named Mr Driver (although there was no evidence these recipients took any notice).

Mr Driver brought a claim against the CPS on the basis that sending this email was a breach of the Data Protection Act 2018 (DPA 2018) and/or the General Data Protection Regulation (GDPR), a misuse of his private information, a breach of his human rights and negligence. Mr Driver alleged this breach had caused him significant distress, seeking £2,000 in damages. Mr Driver later dropped his claim for negligence.

The decision

In his judgment, Mr Justice Knowles determined five issues arising from the claim:

  • The claim was governed by the DPA 2018 (and not the GDPR), because the relevant processing by the CPS was for law enforcement purposes (although the Judge noted there was little material distinction between the principles that apply to the two).[1]
  • Whilst not named, Mr Driver was still indirectly identifiable from the CPS email and therefore it amounted to personal data. This was because his connection as a suspect in Operation Sheridan was in the public domain and the group (i.e. the suspects of the operation) was small, being only eight. Mr Justice Knowles held at paragraph 101:

    “…I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPR for a charging decision…. Personal data can relate to more than one person and does not have to relate exclusively to one data subject – particularly when the group referred to is small”.

  • The CPS (who initially admitted a breach in response to a complaint but later disputed this) had unlawfully processed the relevant personal data, in breach of the first, second and sixth data protection principles. The CPS had no legitimate interest to process the personal data in the way it did because it was not necessary for the specific member of the public to be updated in the way they were.
  • Mr Driver failed to show that he objectively had a reasonable expectation of privacy in relation to the information contained in the CPS email. This was because the investigation had been widely reported and he had issued his own press release identifying himself as a suspect. The misuse of private information claim was dismissed, as was the claim under the Human Rights Act 1998.
  • Mr Justice Knowles issued a declaration that the CPS had breached Mr Driver’s rights under Part 3 of the DPA 1998. He awarded Mr Driver £250 in damages for the “very modest degree of distress” he experienced upon discovering the CPS email had been sent to someone who had a grievance against him. The Judge was unwilling to accept Mr Driver’s evidence about the extent of the effect he said the CPS email had upon him.

What it means for you

The early part of 2021 saw a big spike in the amount of data privacy breach claims issued in the High Court, but, as recently reported by the Lawyer, the volumes have fallen substantially since then. This is no doubt a result of the Courts taking an increasingly robust approach in several recent judgments. For two such other recent examples, see:

  • Lloyd v Google LLC [2021] UKSC 50: this seminal judgment provided welcome clarity on the principle that damages for alleged breaches of data protection legislation cannot be claimed without demonstrating pecuniary loss or distress. It also provided welcome guidance on the Court’s approach to “opt-out” representative data actions. Our article on this case can be found here.

  • Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB): the High Court provided welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. The Court granted the Defendant summary judgment and awarded them indemnity costs. This was because there was no credible case that distress or damage over a de minimis threshold would be proved. See our earlier article here.

Data controllers will welcome the decision on the remedy in Driver as another encouraging decision in the recent line of High Court judgments on minor data protection infringements. The decision in Driver also confirms that judges will not always take a claimant’s own evidence on distress at face value or without challenge. Claimants who look to bring claims for relatively trivial data incidents can expect to receive only minimal damages, providing they can persuade the court that the distress is above the necessary de minimis (or minimum) threshold.

Contributors: Jake Brown, Sam McCollum and Alanna Tregear

[1] When the data incident occurred, the GDPR has direct effect in the UK, although following the UK’s withdrawal from the EU the GDPR has been replaced by the UK GDPR.

Date published

21 October 2022



View all