Data breach damages: how much?

The High Court has considered how damages should be quantified in data breach claims where claimants suffer no pecuniary loss and claim solely for distress and anxiety.

The transcript of the judgment in this case has only recently become available. It follows on from the Court of Appeal judgment in Vidal-Hall and others v Google Inc [2015], in which it was established that claims for damages under the Data Protection Act 1998 (DPA) are permissible even where the only type of damage claimed for is distress.

Background

The case concerned the Home Office’s publication of quarterly statistics about the family returns process, which is the means by which children who have no right to remain in the UK are returned to their country of origin.

In October 2013 the Home Office accidentally published a spreadsheet containing confidential personal information of around 1,600 applicants for asylum or leave to remain. This included the name of their lead family member, age, nationality, asylum status, the office dealing with their case and the stage reached in the family returns process. The error was discovered and the spreadsheet removed some two weeks later, but not before it was accessed from 22 different IP addresses in the UK and one in Somalia and also downloaded by an unknown individual.

The Home Office notified the Information Commissioner’s Office (ICO) of the breach, as required, and informed the affected individuals. However, the spreadsheet was reloaded onto a United States document sharing website. It was viewed a further 86 times before being spotted and removed by the ICO.

Claims were brought by six affected individuals. The claimants sought compensation for shock and fear caused by the Home Office’s error.

Issues

Liability was accepted, as the accidental publication of this information amounted to a misuse of personal information and a breach of the DPA. It was also agreed in principle that damages were recoverable at common law for distress.

Four main issues arose:

• Whether the unnamed individuals could recover damages for distress.
• Whether damages fell below the de minimis threshold.
• Whether guidance from cases involving deliberate exploitation of private and confidential information for gain by media publishers could be used.
• Whether damages should be awarded for the loss of the right to control personal and confidential information.

Decision

Mr Justice Mitting held as follows:

• Damages were recoverable by the claimants for distress. The claimants’ identity could be inferred by anyone with knowledge of the individual’s family.
• The de minimis threshold must be exceeded for compensation to be awarded. This was not an issue in this case.
• The main issue was how quantum should be assessed. He rejected the comparison with cases involving “the deliberate dissemination of private and confidential information for gain by media publishers”. He was instead guided by awards made in personal injury cases involving psychiatric and psychological injuries. The decision in Gulati and others v MGN Ltd [2015] was also referred to in establishing that any award for damages should take into account the loss of control of formerly private information.
• In analysing the individual claims, he considered the specific facts, the distress experienced and the claimants’ rational fears as to the consequences of the data breach. The awards ranged from £2,500 to £12,500 for each claimant, in line with awards for psychiatric and psychological damage and taking into account loss of control of confidential information.

Comment

The case provides insight as to how the courts are approaching the assessment of damages in data breach cases – in this instance adopting a personal injury approach.

The written judgment also provides guidance as to how facts and evidence are analysed in the context of breach of privacy claims. In practical terms, data controllers should be alert to the potentially significant financial implications that may arise out of ‘distress only’ data breach claims.

Related items:

Time is of the essence: reporting data security breaches
Privacy notices: just to let you know
Cyber data breach: record £400,000 fine