Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Civil damages for distress in data protection cases after Vidal-Hall
A new High Court judgment against the Home Office clarifies the extent of damages payable for distress alone in civil claims for data protection breaches.
In Vidal-Hall v Google  EWCA Civ 311, the Court of Appeal held that damages for distress could be claimed against data controllers for contravention of the Data Protection Act 1998, even where there was no financial loss. Section 13(2) of the Data Protection Act 1998 was accordingly disapplied as being incompatible with Article 23 of the Data Protection (Directive 95/46/EC) and the EU Charter of Fundamental Rights.
The Vidal-Hall decision appeared to “open the floodgates” for affected data subjects to claim damages for data protection breaches, where they could not prove that they had suffered fraud or other financial loss as a result of the breach, but had been distressed by learning of it. A recent High Court decision on damages for distress gives some guidance as to the quantum of the liability in such cases.
TLT & others v Secretary of State for the Home Department and the Home Office  EWHC 2217
The claim was brought by six pseudonymised claimants (“TLT”, “PNC” etc) whose personal data had been compromised when the Home Office accidentally uploaded a spreadsheet which included information at the second tab which should not have been released.
The information related to the family returns process, under which children of failed asylum seekers are returned to their country of origin. The information on the second tab of the spreadsheet included, in respect of 1,598 applications, “the name of the lead family member; his or her age and nationality; whether they had claimed asylum; the office which dealt with their case, from which the general area in which they lived could be inferred; and the stage which they had reached in the family returns process.”
The Home Office was held to be in breach of the Data Protection Act 1998 as well as the common law tort of misuse of private information. Damages were therefore recoverable under s.13 Data Protection Act, as modified by Vidal-Hall.
Level of damages
The decision in TLT dealt with the award of damages for distress to six data subjects, four of whom were main applicants named in the spreadsheet and two of whom were children of TLT.
The judge, Mr Justice Mitting stated in his decision that:
- affected family members not actually named in the disclosure, but whose identity could be inferred, could claim.
- the threshold for an award of damages for distress was that the distress had to be more than de minimus.
- the key issue was the loss or diminution of a right to control formerly private information and the distress justifiably felt as a result.
- the cases were be similar to those where claimants have suffered psychiatric injury due to an actionable wrong (careless or deliberate). This was distinguished from the types of case involving the deliberate and wide dissemination of private and confidential information by the media for gain, as in the more substantial awards granted to eight celebrities in the phone hacking case Gulati & Ors v MGN Limited  EWHC 1482 (Ch).
Having analysed the individual circumstances of each case, Mr Justice Mitting awarded damages ranging from £2,500 to £12,500. Factors which were considered in the individual cases included:
- a decision to relocate to a new area after the disclosures;
- fears for the safety of relatives in their country of origin;
- a loss of trust in authorities to whom information had been given in confidence; and
- fears that foreign security services would take an adverse interest in subjects after the disclosure.
It was noted in a number of instances that the awards granted were in line with those for psychiatric injury.
At the time of the TLT judgment, the Court of Appeal’s decision in Vidal-Hall was the subject to an appeal to the Supreme Court. A few days later it emerged that the Supreme Court appeal will not proceed, having been withdrawn on agreement between the parties.
As a result, such claims for distress in data protection breaches are now an established part of UK law. In addition to the prospect of regulatory fines or prosecutions following a widespread breach, companies will need to consider the prospect of claims from the very many data subjects affected, with damages in line with those for psychiatric injury cases.
In TLT the awards granted to only six individuals (four of whom were main applicants) amounted to £39,500. If every affected applicant were awarded even the lowest damages figure in TLT of £2,500, the total damages payable by the Home Office would be nearly £4million.
Whilst the levels of distress suffered will vary depending on the nature of the data breach and the circumstances of the individual affected, TLT confirms that Vidal-Hall has resulted an increased potential for claims, including group litigation, in data protection breaches.
See also our article on civil claims under the upcoming General Data Protection Regulation here.
The judgment in TLT has been shared on the Panopticon blog here.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.