Press enter to search, esc to close
In the recently reported case of Geoffrey Driver v Crown Prosecution Service [2022] EWHC 2500 (KB), the High Court awarded a claimant only £250 in damages to remedy his very modest distress following a data breach “at the lowest end of the spectrum”. In an area where there has been limited guidance from the courts on quantum, the decision in Driver provides a helpful benchmark for what claimants can expect to receive in damages for data breaches when they can establish only modest distress.
The Claimant, Mr Driver, was a well-known politician in the Lancashire area and, in 2014, he became a suspect in a widely publicised local government corruption investigation labelled Operation Sheridan. In 2016, Mr Driver was told he was no longer a suspect, but the operation continued, and he was subsequently arrested for conspiring to pervert the course of justice. Lancashire Police referred his file to the CPS for them to consider charges.
In June 2019, a CPS lawyer sent an email in response to an enquiry from a member of the public providing an update on Operation Sheridan. The email confirmed that: “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The individual later passed on the contents of the email to other parties, alongside his own commentary where he named Mr Driver (although there was no evidence these recipients took any notice).
Mr Driver brought a claim against the CPS on the basis that sending this email was a breach of the Data Protection Act 2018 (DPA 2018) and/or the General Data Protection Regulation (GDPR), a misuse of his private information, a breach of his human rights and negligence. Mr Driver alleged this breach had caused him significant distress, seeking £2,000 in damages. Mr Driver later dropped his claim for negligence.
In his judgment, Mr Justice Knowles determined five issues arising from the claim:
“…I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPR for a charging decision…. Personal data can relate to more than one person and does not have to relate exclusively to one data subject – particularly when the group referred to is small”.
Mr Justice Knowles issued a declaration that the CPS had breached Mr Driver’s rights under Part 3 of the DPA 1998. He awarded Mr Driver £250 in damages for the “very modest degree of distress” he experienced upon discovering the CPS email had been sent to someone who had a grievance against him. The Judge was unwilling to accept Mr Driver’s evidence about the extent of the effect he said the CPS email had upon him.
The early part of 2021 saw a big spike in the amount of data privacy breach claims issued in the High Court, but, as recently reported by the Lawyer, the volumes have fallen substantially since then. This is no doubt a result of the Courts taking an increasingly robust approach in several recent judgments. For two such other recent examples, see:
Lloyd v Google LLC [2021] UKSC 50: this seminal judgment provided welcome clarity on the principle that damages for alleged breaches of data protection legislation cannot be claimed without demonstrating pecuniary loss or distress. It also provided welcome guidance on the Court’s approach to “opt-out” representative data actions. Our article on this case can be found here.
Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB): the High Court provided welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. The Court granted the Defendant summary judgment and awarded them indemnity costs. This was because there was no credible case that distress or damage over a de minimis threshold would be proved. See our earlier article here.
Data controllers will welcome the decision on the remedy in Driver as another encouraging decision in the recent line of High Court judgments on minor data protection infringements. The decision in Driver also confirms that judges will not always take a claimant’s own evidence on distress at face value or without challenge. Claimants who look to bring claims for relatively trivial data incidents can expect to receive only minimal damages, providing they can persuade the court that the distress is above the necessary de minimis (or minimum) threshold.
Contributors: Jake Brown, Sam McCollum and Alanna Tregear
[1] When the data incident occurred, the GDPR has direct effect in the UK, although following the UK’s withdrawal from the EU the GDPR has been replaced by the UK GDPR.
Date published
21 October 2022
RELATED SERVICES