Damages for personal data breach claims – minor breaches unlikely to lead to significant awards
The English High Court has recently given a ruling in relation to damages for personal data breach claims. The claimant, Mr Driver, brought a claim against the Crown Prosecution Service (CPS) for breach of the GDPR (amongst other claims).
Mr Driver was a well-known figure in Lancashire politics. In 2014, he became a suspect in an investigation into local government corruption. Allegations were subsequently dropped, but approximately one year later, Mr Driver was again investigated by the CPS in relation to an allegation of conspiracy to pervert the course of justice and/or intimidating witnesses.
In May 2019 a political opponent of Mr Driver obtained from the CPS a confirmation that a charging file on Mr Driver had been referred to the CPS for consideration. The individual passed this information on to other third parties.
The court held that whilst there was no reference to Mr Driver’s name in the email sent by the CPS the email was obviously about Mr Driver (amongst others) and so the information contained in the email was personal data. The court found no lawful reason for the CPS to have sent the email to the political opponent. As such, the sending of the email was a data breach under data protection legislation.
Mr Driver claimed a sum of £2,000 and declaratory relief in respect of the data breach, as he claimed it had caused him distress. Mr Driver said he feared that formal charges were likely to be brought against him, which he considered a significant development in the investigation. Mr Driver testified that it was acutely embarrassing, worrying and distressing to him and his family; that the prospect of the information getting out into the wider media and onto national television was terrifying.
The court did not accept Mr Driver’s evidence about the effect of the emails on him. The court did not consider that these emails were a significant change or development in the case and merely repeated information already in the public domain. The court was prepared to accept that Mr Driver would have experienced a “very modest degree of distress” when he found out that the email had been sent to political opponents and to the media. In the circumstances, the court held that this was a data breach of the lowest end of the spectrum and awarded Mr Driver £250 in damages.
Whilst not exploring the effect of more significant data breaches in terms of monetary value for distress, this does give some guidance as to how courts will view minor data breaches and shows that the court will consider the evidence on distress robustly. There is also an indication that the court will consider whether such distress was in fact reasonable in the circumstances – this is a departure from the normal principle of “take your victim as you find them” – a controversial move!