03 June 2018
The Government was recently defeated in the Lords as peers backed a new Leveson inquiry into the behaviour of the UK press. This followed the Government holding off an attempt to force greater media regulation. It stems, of course, from the infringement of privacy rights by many of the print media.
Many argue that there is already regulation – in the form of criminal sanctions – against those who infringe a person’s privacy, such as phone-hacking.
We are seeing greater regulation with data protection, particularly with GDPR, and while privacy rights stem from Article 8 of the European Convention of Human Rights (the right to private life), data protection stems from the Data Protection Act 1998 which bestows that a person’s data, while expectedly used, should be protected. Nevertheless, there is some overlap.
Understandably, privacy breaches – i.e. an instance where someone’s private information has been used unlawfully – often with devastating results – will yield greater damages. The tort of misuse of private information derives from Campbell v MGN Ltd. Whether a person “had a reasonable expectation of privacy” will determine whether the information was private.
By contrast, personal information may be provided by an individual for a specific purpose, and so they have an expectation that the information will be adequately protected, particularly if there is sensitive personal data, such as medical information. The expectation there would be that the person would retain their privacy, as the unlawful disclosure (of a medical condition) is likely to cause a greater degree of distress.
To put another way, in order to determine whether an individual has an expectation of privacy, there need be consideration as to whether information is sensitive personal data such that it is afforded the protection of GDPR.
The Data Protection Act previously enabled a claim for damages where financial loss had been suffered, under section 13(2). However, the case of Vidal-Hall and others v Google, compensation for distress alone was made possible by virtue of the Court of Appeal ruling that there was no requirement in section 13 for financial loss to be suffered before compensation could be awarded for distress.
This has remained good law since the decision, and is now affirmed by GDPR which will entitle a claimant who has suffered material or non-material damage to compensation in respect of an infringement of the Regulation.
Data protection cases tend to yield a low value, because the implication tends to be that the way the data has been acquired is consensual, but may be breached due an error. As such, awards of £500-£750 were the norm. By contrast, privacy cases tend to involve more unscrupulous acquisition of data resulting in greater distress being suffered by the Claimant, and as such, seek greater figures to compensate for oft-life changing outcomes. Cases such as Gulati & Ors v MGN Limited, Representative Claimants v MGN Limited, victims of phone hacking were compensated between £72,500 and £260,250.
The gulf in value of compensation between privacy breach claims and data protection claims reflects the different outcomes in determining how they are quantified.
Helpfully, the Court in the Gulati case set down a number of ways to determine the quantum of awards of compensation in privacy breach claims. Certain types of information are likely to be more significant than others, so for example, a person’s private medical information is likely to be more sensitive (and so greater compensation) than knowing that person visits a particular medical practitioner. Further, significant private financial matters will likely attract a higher degree of privacy, and therefore compensation. So the publication of an MPs personal financial affairs, would likely garner greater compensation, whereas that MP being photographed at a social meeting (to perhaps discuss those financial affairs) would attract a lower degree of privacy.
Phone-hacking undoubtedly played its part in many a front-page scoop when various tabloids published ‘love rat’ exposés. This was private information about relationships and the amount of compensation payable was determinable by the nature of the information listened to and disclosed. Sensational stories, such as verbatim discussions by a cheating husband to a mistress, would be clearly the result of tapped telephone calls which cause a huge degree of distress and upset caused which ultimately bring an end to a relationship. This is life-changing intrusion which will result in greater compensation, rather than a short-term ‘embarrassment’, such as, for example, coverage of a couple’s row, which would yield lower compensation.
Where that embarrassment manifests into something more, as a result of a continued hounding by the press, then this can become a personal vendetta for which a greater amount of compensation may be payable.
Of course, the misuse of private information tort means that the ‘eggshell skull’ rule applies which means that one must take the victim as he found him. So a thinner-skinned individual may be caused more upset, and therefore receive more compensation, than a thicker-skinned individual who is the subject of the same intrusion.
Whether there is appropriate compensation for distress will be determined by the nature of the information and the consequences of the misuse.
By contrast to the above, in cases where there have been breaches of data protection consideration, in determining the level of compensation, has been given to the concerns and fears over the data been compromised and available – even temporarily – in the public domain. The greater and more rational the fear, the higher the damages award.
In Andrea Brown v The Commissioner of Police of the Metropolis, the County Court made a global award of £9,000 for breaches of the Data Protection Act and misuse of private information, the circumstances in the Gulati case were considered graver (and thus requiring greater compensation). However, in the case of Represented Claimants v MGN, it was held that that there should be parallels between the level of damages awarded for distress in privacy claims and awards made for psychiatric or psychological injury in personal injury cases.
In accordance with personal injury awards for moderate psychiatric and psychological damage which range from up to £15,000 depending on the most recent edition of the Judicial College Guidelines, we now have a regulation that could open the floodgates for a new type of claim.
These ‘personal injury’ claims against data controllers for distress – and where no pecuniary loss is suffered – are likely to be the new RTA claims or holiday sickness claims. This makes it essential that organisations take their data protection responsibilities seriously and do not risk been caught out.
We have had the existing case law of Vidal-Hall showing how claims for non-pecuniary loss can succeed, while Gulati sets the basis for how privacy breach claims are measured.
Going forward, it will be interesting to see what appetite there is to argue down Leveson 2 to better regulate the written media. The balance of a free press is weighted against the actions of an unscrupulous few. If the amendment to the UK Data Protection Bill does get through, then is this the first step to state-controlled media? In such circumstances, does this set us on the way to an ultimate regulation of the ‘Wild West’ web which we have become accustomed to over the past twenty years?
Certainly, there is likely to be a greater degree of control over the social media giants such as Facebook, where both privacy misuse and data protection breaches happen in ways that most users could not imagine.
The motivation of imposition by the EU of GDPR was to create a new culture of transparency and a way of promoting openness by public bodies and data privacy for individuals. This will have a greater effect on the global giants who have for years given flagrant regard for people’s data. Essentially, there is going to be greater accountability, and whether regulatory insistence or compensatory entitlement, things are certainly going to change.
If you have suffered distress through the loss of your personal information then contact us now on 0151 659 1070 or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. for advice as to whether you can claim data protection breach compensation.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
