The recent judgment of Mr Justice Knowles in Driver v CPS  EWHC 2500 (KB), awarding just £250 damages, is yet another helpful decision which businesses will welcome for the common sense approach adopted to a low value data breach claim.
The decision is in line with comments made in 2018 by Mr Justice Warby in Lloyd v Google  EWHC 2599 (QB) and  UKSC 50 that “Not everything that happens to a person without their prior consent causes significant or any distress… Not everybody objects to every non-consensual disclosure or use of private information about them”. In the Supreme Court it was also made clear in November 2021 that compensation is not recoverable for trivial damage.
More recently in a decision from November 2021, that has only recently been published, in Cleary v Marston (Holdings) Ltd  EWHC 3809 (QB) Mr Justice Nicklin ordered the transfer of a one-off data breach claim seeking damages of no more than £3,000 from the High Court to the small claims track at the County Court. Rather telling in particular is the comment from the judge that “the likely irrecoverable costs [which were estimated to be approaching £50,000] would almost certainly exceed the sum [being claimed] in damages…” Proportionality is therefore a key factor that the Court will take in account for low-value data claims at the case management stage.
Driver v CPS gives further hope to businesses that the Court will not agree to award substantial damages to claimants where there is no evidence of distress. Here damages of £250 were considered appropriate for a data breach described as being “at the lowest end of the spectrum”.
Louise Prince, Senior Associate in the Firm’s Reputation Protection and Privacy team said “The small award of damages in Driver v CPS is not surprising given the specific facts of this case but it is a helpful indication of how the court is likely to approach quantum of damages in low value pure data breach cases. It also follows hot on the heels of decisions in other similar low value claims, and shows that the Court is prepared to limit such claims whether by transferring them to the County Court or awarding low damages. Businesses will no doubt hope that this sensible approach will continue in the future as it will certainly lead to significant costs savings fighting small claims where the damages being sought significantly outweigh the costs claimed.”
Driver v CPS – The Facts
This case centres on an email which was sent in June 2019 by the CPS in response to an enquiry from a member of the public about the status of a criminal investigation in which Mr Driver, who is a well-known figure in local politics in Lancashire, was a suspect. The email did not name the Mr Driver but said “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The email was then circulated six months later to a number of recipients, some of whom were political opponents of Mr Driver, by the member of the public who is described as appearing that he “may have had an axe to grind about the Claimant because of an unrelated matter”. It was also copied to Mr Driver, which is how it came to his attention. Mr Driver claimed that he had suffered significant distress as a result of the CPS email and sought damages not exceeding £2,000.
The facts of this case are rather unique, given that there was already significant information in the public domain about Operation Sheridan. Whilst the judge held that there had been a breach of various data protection principles, including the first data protection principle (lawful processing) as the CPS had not proved that the processing was necessary, he was not convinced that the distress caused warranted the damages sought. In particular, he rejected Mr Driver’s “evidence that it represented some fundamental sea-change in the complexion or likely outcome…, such that it could reasonably or properly have caused him anything like the anguish which he claimed”. Also, no medical evidence was presented to show that the distress was linked to the email as opposed to Mr Driver having been under police investigation for a considerable period of time.
Mr Driver’s claim for misuse of private information also did not succeed since it was held that he had “failed to show that he objectively had a reasonable expectation of privacy in relation to the relevant information”. This is because “the CPS email ….added little or nothing to that which was already known” as a result of the earlier widespread reporting.
The judgments can be found here: Driver v Crown Prosecution Service  EWHC 2500 (KB) (10 October 2022) (bailii.org), Cleary v Marston (Holdings) Ltd  EWHC 3809 (QB) (25 November 2021) (bailii.org), Lloyd -v- Google judgment (judiciary.uk) and Lloyd (Respondent) v Google LLC (Appellant) (supremecourt.uk)