Data protection damages awards for distress in the UK jurisdictions up 5,000% pre-GDPR?

Stuart Ritchie


Masochists, who ipso facto and ex officio collectively may approach 100% of my audience, will be aware of my flogging Vidal-Hall v Google (lower court judgment) to death on Linkedin and elsewhere. However, after 37 months it may be time for a quick overview of Vidal-Hall's impact on subsequent cases. The contagion has just spread to Scotland.

Bottom line: data protection distress awards in England/Wales and Scotland alike are up by circa 4-5,000% in three years.

Before Tugendhat J struck down s.13(2) Data Protection Act 1998 in Vidal-Hall, courts could only throw some sod-off money, maybe a hundred quid or two, to claimants whose reputation and dignity, perhaps even liberty, had been trashed but who could not both quantify financial loss and prove causation.

By 2016 the landscape already had been transformed. In my view, to avoid clogging up the court system the judiciary yet again has proved itself to be extraordinarily innovative, and elegantly capable of cutting Gordian knots.

In TLT et al v SSHD Mitting J awarded sums ranging from £2,500 (for claimants whose cases the judge considered to be relatively unmeritorious) to £12,500 (for claimants of whom the judge said "To describe the totality of their experiences as "distress" is a misstatement and an understatement…" in respect of Iranian intelligence). This despite the breach arising from a genuine and hastily corrected (credit where credit’s due) mistake by the Home Office, which only rarely elicits my sympathy. I guess foreseeable outcomes of torture and death makes such a mistake a pretty serious one, even by the relaxed Home Office standard. PR, you know.

In Brown v Met, GMP the claimant asked for £30,000. The defendant police forces admitted liability but submitted that it was worth only £3,000. The judge considered the claimant not at all credible, but nevertheless awarded £9,000. In part, this may have reflected judicial displeasure at multiple police forces’ routine deployment of anti-terrorist surveillance powers to surveill not only the claimant, but also her child, in the UK and overseas, in furtherance of an employment dispute over… sick leave? You just can’t make this kind of stuff up. I’m delighted our boys in blue retain their Kafkaesque sense of humour and capacity to entertain, it must be their MC in the Home Office. Mr Trump could learn a lot from them.

Brown is a particularly interesting case because the judge (a) surveys and summarizes the quantum case law; and (b) suggests that the benchmark for awards is now psychiatric personal injury but, in effect, requires neither medical expert evidence nor any particular evidence at all beyond judicial notice. This could be seismic. One interpretation: if you can persuade the judge you’re distressed, you can get an award in a zero-costs small claim as if you’ve succeeded in a 5-6-figure costs multi-track personal injury case lasting years. The case further regularizes quantum calculation by suggesting that if the "statutory tortfeasor", as it were, has been in breach for more than a year then the award will be increased pro rata. Something for Boards to consider when deciding whether to disclose privacy breaches. Some already may be in line for six-year awards.

In 2017, just weeks ago in Scotland, Sheriff Ross’s liability judgment in Woolley v Akram very significantly referenced Vidal-Hall (despite it not being binding on Scotland, the same reasoning applied in respect of the same Act). Without referencing English quantum precedent, the award was £10 per day per claimant. Delinquent employers (as seen in the Californian Xora case), and those who use CCTV to stalk their neighbours, will be sorely disappointed to lose their hobby (zero sympathy from me, get a grip and use binoculars like I do, the old ways are the best – I reserve my view on parental fauxbook stalking on the grounds that what my children don’t know won’t hurt them). Over the course of a year or more, it will be seen in aggregate this is not dissimilar to the English approach.

Apparently all of the English cases were, sensibly, pleaded shotgun in tort of misuse of private information in the alternative to s.13 Data Protection Act 1998 and assorted other remedies. If you don’t go down to the one, you’re screwed by the other. Roll on GDPR, under which (Article 79) any breach at all can be litigated by the data subject, possibly in a jurisdiction forum-shopped by the claimant.

I have no information on Northern Ireland but, on the admittedly over-simplified basis that Scotland’s civil law system is far more removed from England’s than is Northern Ireland’s common law system, I would not be surprised if future such quantum awards were aligned.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.