Case Summary and Outcome

The Queen’s Bench Division of the U.K. High Court of Justice held that there was a threshold of distress that had to be reached for damages to be awarded where the distress was caused by the misuse of private information in data processing; that family members of named data subjects could also recover damages; and that awards should be analogous to those made for psychiatric or psychological injury in personal injury cases and should take into account the loss of control over one’s private and confidential information.

Applicants TLT and others claimed damages for distress against the U.K. Home Office arising from the publication online of a spreadsheet containing personal details relating to their immigration and asylum status.

Facts

Every three months, the U.K. Home Office publishes statistics about its family returns process, through which immigrant families with children who have no right to remain in the U.K. are returned to their country of origin. The statistics are compiled based on collected raw data that contain a substantial amount of personal information, such as the name of the lead family member, age, nationality, country of origin and whether the immigration application was based on seeking asylum.

On October 15, 2013, the Home Office mistakenly uploaded the raw data along with the statistics for the period of April to June of that year on the U.K. Visas and Immigration website. The data contained details of 1,598 lead applicants for asylum or leave to remain. While the page was immediately removed upon discovering the error some two weeks from the date of publication, the government reported that the raw data could have been downloaded by non-Home Office IP addresses.

One of the families affected by that error was an Iranian family that had arrived in the country in 2010 and sought asylum. The published raw data included the name of the lead applicant (TLT) and, inaccurately, his date of birth and some limited details about his immigration case, type and status. In January 2014, the Home Office officials notified him along with all other affected individuals, including three more asylum families from Albania, Pakistan, and Sri Lanka respectively who joined TLT’s claim against the Home Office for non-pecuniary damages for misuse of private information under the Data Protection Act of 1998.

The claimants submitted witness statements, detailing their safety concerns and distress caused by the dissemination of their private information, particularly the possibility that their immigration status could have been revealed in their countries of origin from where they had sought asylum.

Decision Overview

Justice Mitting delivered the judgment of the High Court of Justice.

At the outset of the proceedings, the government conceded that its erroneous publication of personal information related to TLT and three other asylum families amounted to a “misuse of their private and confidential information, and to processing their personal data in breach of the first, second, and seventh principles set out in Schedule 1 to the Data Protection Act.” [para. 10] Under the first principle, “[p]ersonal data shall be processed fairly and lawfully and,” and must comply with specific conditions set out in the subsequent schedules, depending on the nature of the data and purpose for which the information is collected. The second principle says personal data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” And under the seventh principle, data processors must take appropriate measure against unlawful or unauthorized processing of personal data, or accidental loss or destruction of such information.

Before addressing each specific issue raised in the case, Justice Mitting reviewed the Court of Appeal’s recent decisions on the assessment of damages for breach of privacy and data protection rights namely that the Data Protection Act allows the recovery of non-pecuniary damages, such as emotional distress, as a result of misusing private information. In Vidal-Hall v. Google Inc. [2015] 3 WLR 409, the Court of Appeal allowed such recovery against Google for unauthorized collection of internet usage via the Apple Safari browser. The Google case is pending appeal to the Supreme Court but unless or until it is overturned or qualified, Justice Mitting said he was bound to follow the Court of Appeal’s decision.

Justice Mitting then addressed four areas of contention in the case:

1. whether TLT’s wife and his 17-year-old daughter who were not named in the raw data could still recover damages at common law or under the Data Protection Act, subject to proof of their distress;
2. whether the claimants’ distress had crossed the level of threshold below which damages are not recoverable;
3. whether it was proper for the court to apply guidance from awards in cases involving the deliberate dissemination of private information for gain by media publishers or individuals engaged in that trade; and
4. whether damages should be awarded for loss of the right to control of personal and confidential information.

As to the first issue, Justice Mitting ruled that both the wife and daughter of TLT could sue at common law and under the Data Protection Act because even though the data was collected under the name of TLT, it applied to all of them. And “the fact that they had claimed asylum with TLT was just as much private and confidential information about them as it was about him.” [para. 12] He further reasoned that their immigration status could “readily” be inferred from TLT’s name. Based on the whole of their experiences Justice Mitting found that the family had suffered a substantial amount of stress. He awarded TLT and his wife £12,000 each and the daughter £2,500 on the basis that “she was protected by her youth and by the care which her parents took to shield her from knowledge of what was happening.” [para. 30]

As to the second issue, Justice Mitting affirmed the de minimis principle, namely that there is a threshold below which damages for distress may not be awarded but said that it was not engaged in this case. On the third issue, he disagreed with the claimants that the level of awards for damages should follow those awarded where private information is deliberately disseminated by media. He reasoned that the claimants’ cases were “far closer to cases in which claimants have been caused to suffer psychiatric injury by an actionable wrong, whether a careless act or deliberate wrong, such as child sex abuse.” [para. 16].

As to the last issue, Justice Mitting noted that the Court of Appeal in Gulati v. MGN [2016] 2 WLR 1217 had established that damages can be awarded for loss of the right to control of personal and confidential information. However, he held that in this case it was neither necessary nor desirable to make a separate award based on this but that he would take it into account in the awards he made.

In addition to awarding damages to TLT and his family, Justice Mitting separately assessed and awarded damages for the distress suffered by the three other families.