Damages for distress for failing to verify personal data

Petr Aven v Orbis Business Intelligence Ltd [2020] EWHC 523 (QB)

The question 
Can damages be awarded as compensation for distress arising from a defendant’s failure to take reasonable steps to ensure the accuracy of personal data processed in breach of Principle 4 of the Data Protection Act 1998 (the DPA)?

The key takeaway 
Damages are not confined to material loss and can be awarded as compensation for stress arising as a result of a defendant’s breach of Principle 4 of the Data Protection Act 1998. 

The facts 
Orbis Business Intelligence Ltd (Orbis) published the so-called “Steele Dossier” (the Dossier) following instructions to provide intelligence memoranda to Fusion GPS (Fusion) on potential links between Russia, Vladimir Putin and Donald Trump. Fusion’s client was Washington based law firm, Perkins Coie, their client being the US Democratic Party. Memorandum 112 of the Dossier (Memo 112) asserted the closeness of the three claimants (influential Russian/Ukrainian businessmen) to President Putin. Memo 112 was published by Buzzfeed News and disclosed by Orbis to Fusion, the FBI and certain politicians and government officials. The claimants alleged that the use of their personal data in Memo 112 contravened principles under the Data Protection Act 1998 as the data was inaccurate (Principle 4) and processed in a way that was unfair, unlawful or non-compliant with the DPA (Principle 1). 

The claimants identified the below propositions in Memo 112 as personal data:

1. the giving and receiving of political favours between Putin and the claimants
2. the provision of informal advice by the claimants to Putin
3. a meeting between the second claimant and Putin
4. the use of an intermediary by the first and second claimants to deliver large amounts of “illicit cash” to Putin in his role as Deputy Mayor of St Petersburg, and
5. the first and second claimants doing Putin’s political bidding during his presidency.

The defendants contested whether proposition (1) constituted data and whether proposition (5) contained sensitive personal data. 

The decision
The judge concluded that proposition (1) was personal data relating to the claimants as the use of their company name, the Alpha Group meant that the reader would not plausibly separate Alpha Group and the claimants.  He also concluded that proposition (5) was sensitive personal data as the reference to large amounts of “illicit cash” led the reader to infer criminal activity; a specific criminal offence did not need to be specified. 

The defendant sought to rely on the legal purposes exemption arguing that its disclosure to Fusion was necessary for the purpose of prospective legal proceedings. Although the judge found that the disclosure to Fusion was not made for the purpose of prospective legal proceedings, it was made for the purpose of obtaining legal advice as Perkins Coie’s sole or dominant purpose in commissioning the Dossier was to obtain information to provide legal advice to its client, therefore the exemption applied. However, as data controller, Orbis was still obliged to fulfil its duty of accuracy under Principle 4 which it failed to do in relation to proposition (5), as the steps taken to verify the sensitive data fell short of what would have been reasonable.  The defendant also sought to rely on the exemption for national security, arguing that Memo 112 required disclosure to the FBI in order to safeguard national security. The judge accepted that national security defences could be relied upon by data controllers who are not “organs of the state” to conclude that although the purpose of safeguarding national security did relieve Orbis of its notification obligations under Principle 1, it did not provide any further exemption from Principles 1 or 4.  Finally, as the disclosures satisfied at least one of the relevant requirements in the DPA schedules, they met the fairness requirement under Principle 1. 

Why is this important?
Although the claimants’ primary focus was to “set the record straight” in relation to the propositions, the judge only deemed a limited order for rectification necessary since Orbis was not responsible for the publication of the Dossier by Buzzfeed. However, despite exemptions being made out, the judge still ordered £18,000 compensation to be paid to each of the first and second claimants for distress suffered, even though no material loss was sustained.  Whilst the judge followed defamation principles when calculating this figure, this judgment has the potential to set a benchmark for assessing the quantum for damages for data breaches. 

Any practical tips?
In this case Warby J interpreted personal data in a holistic manner, rejecting an “item by item” approach whereby the contents of a document are read as discrete and separate propositions and instead favoured a coherent narrative approach. As such, extra precautions should be taken if disclosing personal data - just because an individual is not named does not mean that the disclosure is not personal data.

Autumn 2020