Water cooler and triangular chairs
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. £250 compensation award for data breach causing limited distress

SHARE:

£250 compensation award for data breach causing limited distress

Published on 23 December 2022

Geoffrey Driver v Crown Prosecution Service [2022] EWHC 2500 (KB)

The question

How should the courts measure damages for “modest distress” caused by data processing breaches?

The key takeaway

An English court awarded just £250 in damages to a claimant who had suffered limited distress following a breach of the Data Protection Act 2018 that was “at the lowest end of the spectrum”.

The background

The claimant was the former head of Lancashire Council and had been under police investigation for many years as part of an anti-corruption operation known as Operation Sheridan. 

Some time after the police file had been handed over to the Crown Prosecution Service (CPS) to determine whether to prosecute the eight individuals that were under investigation (including the claimant), a member of the public with no connection to the Claimant or the investigation sent an email to the CPS requesting an update on the case, stressing his desire for the CPS to reach a quick decision on the matter. The CPS responded by saying that “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The member of the public later shared this response with various politicians and journalists, copying in the claimant. 

The claimant complained to the CPS, who admitted that their response had amounted to a data breach. Amongst others, the claimant brought a claim against the CPS for breach of the UK GDPR and/or the Data Protection Act 2018 (DPA 2018). The CPS denied all allegations and revoked their earlier admission that the email had amounted to a data breach.

The development

The court found that the DPA 2018, rather than the UK GDPR, was the relevant legislation, as the processing had been for law enforcement purposes. It also found that the email did contain personal data as it indirectly allowed the claimant to be identified as one of the people involved in the investigation.

Mr Justice Knowles determined that the first, second and sixth data protection principles (under section 34 of the DPA 2018) had all been breached, meaning that the processing was not lawful and fair, its purposes were not specified, explicit and legitimate and it was not done in a secure manner. This decision was reached on the basis that it was not necessary or proportionate for the CPS to share the information with an unconnected member of the public, and the CPS had not shown that it had appropriate organisational measures in place to prevent such unauthorised/unlawful processing. 

The key outcome from this case, however, was that the Court only awarded the claimant total damages of £250 (much less than the £2,000 being claimed). The court did not accept the claimant’s submissions that the CPS’ email led him to believe that he would be charged and he suffered anxiety and depression as a result. Instead, it found that “on no reasonable view” could the email have presented any “significant development” that wasn’t already in the public domain. Further, although the email had been forwarded by the member of the public to various journalists and politicians, there was no evidence that any of those recipients had acted on, or even read, the email. The Judge concluded his judgment by commenting that this case was at “the lowest end of the spectrum”, and that £250 was therefore the appropriate amount to award.

Why is this important?

This case is good news for data controllers and is another in a series of judgments by the English courts that demonstrate an unwillingness to encourage claims brought as a result of relatively minor data breaches. It is clear, too, that the courts will take an objective approach when determining a claimant’s distress and will not award large sums of damages where it would expect damage to be minimal.

Any practical tips?

As Mr Justice Knowles observed in his judgment, this area of law is “not an exact science”. Each case very much depends on its facts. Data controllers should therefore not rely on this case as a reason to ease off on its data protection compliance efforts, especially where they are also subject to the EU GDPR and the judgments of non-English courts who may not take a similar approach.

In the UK context, however, this case is instructive and a clear signal to data subjects that it may not be worth their while to bring claims for smaller data breaches. Data controllers should nonetheless still seek to shore up their complaints handling processes so that aggrieved data subjects may obtain the assurances they need from the data controller itself rather than resorting to litigation. 

 

Winter 2022