UNRAVELLING THE TRUE COSTS: Assessing Damages in Privacy Claims

Introduction:

Valuations of claims for general damages for breach of the GDPR are tricky not least because of the absence of a large body of higher court authority. However, from the cases that have emerged, there have been some indications of how the courts are handling these matters. Under English Law there is no autonomous right to privacy. Privacy claims come within several different causes of action: Breach of Data Protection Act 1998 (DPA), Misuse of Private Information (MPI), breach of Human Rights Act 1998(HRA) and breach of Protection from Harassment Act 1997 and equitable claims such as breach of confidence. In GDPR/Privacy claims unlike other regulatory regimes such as the Financial Regulations Authority here the Courts only have the power to award compensation and not the regulator or ombudsman.

Cause of action:

Courts tend to consolidate multiple causes of action arising from the same breach of privacy into single award for efficiency and fairness. Recently, a court ruling has expanded the scope of the Data Protection Act (DPA) in the UK. Previously, a claim under the DPA required a financial loss or specific conditions to be met. However, the Court of Appeal found Google Inc v Vidal-Hall & Information Commissioner [2015] EWCA Civ 311 found that section 13(2) these restrictions were incompatible with Directive 95/46/EC, resulting in their removal. As a result, all damages, including non-pecuniary losses, can now be claimed under the DPA.

Courts Approach:

In the case of Gulati v. MGN Ltd [2015] EWHC 1482 (Ch) Mr Justice Mann awarded record-breaking damages in a privacy claim. The claimants were victims of phone hacking and blagging, and they sought damages for misuse of private information. The methodology applied by Mr Justice Mann, which was upheld by the Court of Appeal, allows for the recovery of damages solely for the loss of control over private information. Furthermore, In Lloyds v Google the Court of Appeal held that the Claimant could recover damages for loss of control of their data under DPA 1998 without the need to prove mental distress.

The determination of the 'value' of a loss of control presents inherent challenges. However, comprehending the nature of the compensation as 'licence fee damages' for the utilisation of the information is likely to facilitate the court in quantifying the damages.

Unless the information at the centre of the privacy claim possesses evident commercial value (e.g., phone hacking, web browser data), the prevailing approach of the courts has been to incorporate the loss of control into the overall award granted.

Assessing these 'general damages' does not adhere to a precise mathematical formula. The Court of Appeal has expressed its reluctance to intervene in the evaluation of damages in such cases where the measure of damages is inherently general and cannot be precisely calculated mathematically.

In another case, ILT v. Secretary for Home Department [2016] EWHC 2217 (QB) claimants brought claims under the DPA and for misuse of private information. The Home Office accidentally published personal data of asylum applicants, which was available online for 13 days. In this case, the court did not apply the methodology used in Gulati since it did not involve intentional dissemination of private information for financial gain. Instead, the court assessed the claimants' distress in line with psychiatric injury caused by an actionable wrong, using the guidelines provided by the Judicial College for The Assessment of General Damages in Personal Injury Matters. This is useful yardstick in gauging the likely level of an award will be to 'cross-reference' with PI awards for psychiatric and psychological injury. However, a point to note is the fact that none of the Claimants in this case suffered from a recognised psychiatric disorder as of the posting of their personal data. Therefore, proof of distress is not necessary albeit the awards will be very modest in absence of such evidence as per Halliday V Creation Consumer Finance Limited [2013] EWCA Civ 333, Clarifies how compensation under the DPA should be assessed and sets a high threshold for obtaining a substantial award for damages.

Mr. Halliday had been awarded nominal damages by a district judge absent evidence demonstrating any financial loss, which was affirmed on a prior appeal. In the present appeal, the court looked at the question of whether Mr. Halliday was entitled to an award for distress, and whether his claim for damages should have been rejected on the ground that he had to show that he was entitled to substantial damages before he could obtain damages for distress.

The appellant, Mr. Halliday, had entered into a credit agreement with Creation Consumer Finance (CCF). After a series of complex developments, CCF wrongly recorded Mr. Halliday as owing funds, and the information was then shared with a credit reference agency. Mr. Halliday sought to rely on the DPA to claim damages for the harm to his reputation and credit rating, and the distress he suffered.

The Court of Appeal affirmed that a nominal damage award of £1 GBP was appropriate where a claimant could not prove loss, and that such an award was an effective remedy for the purposes of European Union law. The court reviewed whether damages for distress are available where the complainant failed to receive substantial damages for the breach itself.

The court considered how the damages for distress damages should be assessed, finding that the remedy is only available where the distress results from contravention of the data processing requirements and is suffered by the complainant himself. The court concluded by recognising a general principle that non-compliance with important European instruments will cause frustration to complainants, and that compensation for such frustration may sufficiently amount to as little as £750.

While some of the points in the case were fact specific, the final decision appears to create two general rules. First, in absence of direct evidence of specific financial loss, nominal damages may be awarded for breaches of the DPA. Second, an additional remedy for frustration or distress may be awarded.

 A decision arrived at on similar lines is AB v Ministry of Justice [2014] EWHC 1847 (QB). The claimant had clearly established distress (valued at £2,250) but there was otherwise no clear basis on which to establish that pecuniary loss had been suffered. Baker J, instead of declining to award compensation on the basis section 13(2)a had not been met, awarded nominal damage of £1 which was said to reflect the fact that the claimant had spent considerable time and expense trying to obtain the actionable disclosure from the defendant. The court's policy was seemingly to prevent the difficulties of proving pecuniary loss from precluding a claim for damages under the DPA 1988. In assessing such awards the Courts were applying Simmons v Castle [2012] EWC Civ 1288[2013] 1 WLR 1239 in which the court of Appeal held awards for torts causing inter-alia distress were to be 10% higher then previously awarded.

 In privacy claims, damages awarded under the Human Rights Act (HRA) tend to be low, leading claimants to rely on other causes of action. However, the HRA is often included as part of the claim. Harassment claims, on the other hand, are typically considered more serious invasions of privacy and can even constitute criminal behaviour in certain circumstances and would see higher awards.

Consequently, these types of claims to some extent stand apart from other privacy claims.

Damages in Harassment Claims:

The assessment of damages in harassment claims follows the Court of Appeal's guidance provided in Vento v. Chief Constable of West Yorkshire Police [2002] EWCA Civ 1871. The Vento case established three distinct bands for assessing damages in harassment claims.

These bands are as follows:

• Isolated or Less-Serious Cases: Damages up to £6,000 may be awarded for cases that involve isolated incidents or are of a less-serious nature.
  
  
• Serious Cases with a Lengthy Campaign of Harassment: Damages ranging from £18,000 to £30,000 may be awarded for cases that involve a sustained and prolonged campaign of harassment.
  
  
• Cases Falling In-between: Damages ranging from £6,000 to £18,000 may be awarded for cases that fall between the isolated/less serious and serious/lengthy campaign categories.

Complexity in Quantifying Damages:

Determining the appropriate damages for breach of privacy is a challenging task, and the court's approach to awards in such cases is still evolving. The quantification of damages is highly dependent on the specific facts and circumstances of each case. Estimating the level of distress suffered by the claimant remains problematic due to the subjective nature of emotional harm.

Distress is subjective, but the eggshell rule still applies. In Burrell v Clifford {2016} EWHC 294 the "thin skull" principle recognised that damages should be based on the extent of distress suffered, even if a more robust individual wouldn't have experienced the same level of distress. However, genuine distress is required, as exaggerated reactions are less likely to be considered genuine. Severe distress may be recognised as a psychiatric injury, requiring medical evidence.

Awards for famous or infamous individuals tend to be higher than for average individuals. For example, Cliff Richard was awarded £190,000 in general damages and £20,000 in aggravated damages against the BBC. Max Mosely was awarded £60,000 due to the unprecedented distress and indignity in his case. Non-celebrity claimants are unlikely to receive such high awards, with damages typically ranging between £1,000 and £25,000, based on comparisons with the JCB Guidelines. The awards in TLT v Secretary of State for the Home Office can serve as a useful starting point for determining an appropriate award.

Relevant Factors:

When evaluating an award in privacy cases, several factors come into play and will be considered by the court. These factors include:

1. Nature and Content of the Private Information:
   • The significance and sensitivity of the private information disclosed will have a direct impact on the affected individual. The greater the privacy invasion and importance of the revealed information, the more substantial the effect on the individual is likely to be.
     
     
2. Scope of Publication or Disclosure:
   • The extent of the publication or disclosure plays a crucial role in assessing the invasion of privacy. Wider dissemination of private information leads to a more significant invasion and amplifies the impact on the individual's privacy rights.
     
     
3. Presentation of the Publication or Disclosure:
   • The way the private information is presented can contribute to the severity of the invasion. Sensationalist treatment, characterised by exaggerated or dramatic elements, may intensify the invasion, and be viewed as more serious compared to a more restrained and measured publication.
     
     
4. Individuals Likely to Access the Information:
   • Consideration will be given to the individuals who are likely to access or be perceived as likely to access the disclosed information. Disclosures made to professionals bound by confidentiality obligations may be deemed less serious than disclosures to close family members or the public.
     
     
5. Real Interest in the Disclosure:
   • The court will adopt a pragmatic approach to assessing whether there was a genuine or likely real interest in the disclosure. This analysis focuses on the necessity or legitimacy of the disclosure in relation to the public interest or any relevant legal considerations.
     
     

Conclusion:

In determining the appropriate damages in privacy cases involves considering various factors such as the nature of the disclosed information, the extent of publication, the potential audience, and the public interest in the disclosure. These factors help assess the invasion of privacy and its impact on the affected individual. While specific levels for damages in privacy claims may develop over time, like the framework seen in cases like Vento, currently, damages awarded under the Human Rights Act (HRA) tend to be low. As a result, claimants often resort to alternative causes of action, such as harassment claims, which rely on the guidance provided by Vento. The Vento framework offers three bands for assessing damages based on the severity and duration of the harassment. However, quantifying damages for privacy breaches remains a complex task, and the court's approach to awards continues to evolve. Ultimately, the specific circumstances of each case will dictate the appropriate level of compensation. It is conceivable that, in due course, specific levels for damages in privacy claims may emerge, providing additional clarity to the court's decision-making process.

As the regime for compensation claims under the GDPR evolves, a glimmer of proportionality is starting to emerge. While significant tests must be met to establish a claim, the potential for parties to initiate class actions for compensation within the EU remains a genuine concern. It is crucial for businesses to maintain a vigilant watch over the legal landscape and take proactive steps to ensure their GDPR compliance programs effectively mitigate the risks associated with such claims. Additionally, businesses should also be mindful of the potential for other enforcement actions by data protection authorities, as GDPR fines and related measures pose a more tangible and established threat. By staying abreast of evolving regulations and fortifying their compliance efforts, organisations can better protect themselves from the repercussions of non-compliance and safeguard the privacy rights of individuals.