Quantification of a Data Breach


What do courts tend to award claimants who suffer data breaches?

The High Court has handed down judgment in the case of Driver v Crown Prosecution Service [2022] EWHC 2500 (KB). In summary, Mr Driver was awarded £250 for his data breach claim. This is a very welcome case for data controllers dealing with low level data breach claims.

By way of background, the CPS disclosed details of an ongoing fraud investigation (named Operation Sheridan) concerning Mr Driver in an email to a member of the public, Paul Graham. Mr Graham was not involved in the investigation but was described in the Judgement to be a political opponent of Mr Driver. Mr Graham made an enquiry with the CPS and was sent the following email;

“A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration.”

Mr Graham communicated the contents of the email with his own comments, which included naming Mr Driver, to several further individuals. There was no evidence, however, that anyone read the email or acted further upon it.

Mr Driver brought a claim against the CPS on the basis that the email had caused him distress, relying on the following causes of action;

  • breach of the General Data Protection Regulation (the “GDPR”) or in the alternative for breach of the Data Protection Act 2018 (the “DPA 2018”);
  • misuse of private information (“MPI”);
  • breach of the Human Rights Act 1998 (the “HRA 1998”).

Did the email amount to Mr Driver’s personal data?

The CPS argued that no data breach occurred as the email did not contain Mr Driver’s personal data. This argument was rejected by the High Court on the basis that the email enabled the recipient to identify Mr Driver as one of the people mentioned in the “charging file”.

GDPR or DPA 2018 claim?

The High Court held that Mr Driver’s claim was not a GDPR claim, but that it instead fell within the law enforcement provisions of the DPA 2018.

Did a data breach occur?

Yes. The key takeaway was that there was no necessity to update the Mr Graham and therefore there was no lawful processing condition that could be relied on.

Did the CPS violate Driver’s human rights or misuse his private information?

In relation to the allegation of misuse of private information, the court found that Mr Driver had no reasonable expectation of privacy concerning the details of Operation Sheridan, as much of the information was in the public domain.

The human rights claim was subject to a 12-month limitation period which had expired but could have been extended at the court’s discretion. As it was established that Mr Driver had no reasonable expectation of privacy in the misuse of private information claim, the judge declined to extend this period. Therefore, the human rights claim also failed.

The claim for distress

The Data Protection Act 2018 enables data subjects to be compensated if they have “suffered material or non-material damage as a result of an unlawful processing operation”.

Section 168(1) of the DPA 2018 specifies that “‘non-material damage’ includes distress”.

Mr Driver’s claim for distress was successful but caveated for the following reasons.

To support his claim for distress, Mr Driver relied on the fact that he visited his doctor in 2020 and was prescribed anti-anxiety medication. The judge saw no evidence that the data breach was the specific cause of Driver’s anxiety “rather than… the stress of having been under police investigation, by then, for six years or so.”

The judge was also sceptical of Mr Driver’s claims about the extent of his distress, denying that the data breach could have reasonably caused the claimant “anything like the level of anguish which he claimed”.

Weighing up the above factors, the High Court awarded Mr Driver damages of £250 which is of course minimal. Data controllers should however of course note that the CPS would have been liable to pay Mr Driver’s legal costs which are likely to have been substantial. Overall, this is very helpful guidance in that a case involving limited personal data and limited distress being suffered, £250 is an appropriate figure for damages (or at least as a starting point).

For more information, please contact Hetal Ruparelia.

JOIN OUR MAILING LIST

The latest news from Devonshires, sent to you direct.

Join our mailing list and find out what we’re up to and what we think about recent events and future possibilities.

SIGN UP
Join our Mailing List