Tag Archives: Compensation

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Nefarious Endeavours and Vicarious Liability for Data Breaches

Last week I highlighted the important decision handed down by Mr Justice Langstaff sitting in the English High Court in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB).  In that blog post I stated that the judgment was lengthy and would take some time to properly read and digest and that I would cover the judgment in much more detail in due course.  It has indeed taken some time to read and digest, but I am now in a position to bring readers a much more in-depth consideration of the judgment.

The facts sitting behind the Morrisons decision are stark.  An employee of the Defendants, Andrew Skelton, ran a business on the side.  His business was connected to the slimming industry and involved him sending a perfectly legal drug, which was in the form of a white powder.  On 20th May 2013, Mr Skelton left a pre-paid package with Morrisons’ mail room which contained this white powder.  While the package was being handled by staff in the mail room it burst open and some of the contents spilled out.  This triggered a process within Morrisons that could have resulted in the mail room being closed; however, that was not necessary.

Mr Skelton was eventually disciplined by Morrisons in connection with this incident.  He had committed no criminal offences in connection with the incident:  the drug was perfectly legal and he had paid for the postage himself.  However, Morrisons decided that his conduct was not in keeping with their values and issued him with a verbal warning.  Mr. Skelton disagreed with this sanction and utilised the company’s internal appeals process to appeal the disciplinary decision; that appeal was unsuccessful.  Mr Skelton took exception to the way in which we was treated and began to embark upon a criminal enterprise which was designed to damage the Defendants.

Mr Skelton was employed as an IT internal auditor within Morrisons.  This meant that he was highly literate in IT and also meant that he had access to personal data.  It is not necessary to go into the facts in much more detail.  It is suffice to say that in the course of his employment with Morrsions, Mr. Skelton lawfully processed personal data which had been extracted from the company’s payroll software.

As part of his nefarious endeavour, Mr. Skelton made a personal copy of the personal data and proceeded to post it onto the internet in January 2014.  By this time, Mr. Skelton had left Morrisons (having resigned).  By March 2014, the fact that vast quantities of personal data from Morrisons’ payroll software had been posted onto the internet had not been discovered.  Mr. Skelton then, anonymously, sent a CD of the personal data to a number of local newspapers including a link to where the personal data had been posted.  One of the local newspapers altered Morrisons to the publication of the personal data and Morrisons took steps to have it removed and to investigate matters.

Ultimately, Mr. Skelton was arrested and charged with various offences under both the Data Protection Act 1998 and the Fraud Act 2006.  He was later convicted and sentenced to a period of imprisonment.  With that context now set out, it is time to turn to the civil claim brought by over 5,000 of the affected data subjects against Morrisons.

The claimants effectively argued two primary positions:  (1) that Morrisons was directly liable for the breach arising out of its own acts and omissions; and (2) alternatively, that Morrisons was vicariously liable in respect of Mr. Skelton’s actions.

In advancing the case for primary liability, Counsel for the Claimants argued that Morrisons was at all material times the data controller of the payroll data which Mr. Skelton had misused for his criminal enterprise.  This argument was repelled by Langstaff J.  Mr Justice Langstaff concluded that by taking it upon himself to decide that he was going to copy the personal data and place it on the internet, Mr. Skelton had put himself into the position of deciding what personal data would be processed and the purposes for which it would be processed.  Mr. Skelton was therefore the data controller, not Morrisons.  It was therefore Mr. Skelton’s actions that were in breach of the Data Protection Principles rather than the actions of Morrisons.

The rejection of the primary liability then brought Mr Justice Langstaff onto the question of secondary liability.  Could Morrisons be held as being vicariously liable for the actions of Mr. Skelton, and if so, were they vicariously liable for the actions of Mr. Skelton?  Mr Justice Langstaff decided that Morrisons could, and indeed were, vicariously liable for the actions of Mr. Skelton in publically disclosing the Claimants’ personal data on the internet.  In reaching this conclusion, Mr Justice Langstaff has seemingly reached two contradictory conclusions:  that Mr. Skelton was acting independently of Morrisons (thus making him a data controller in his own right) while at the same time holding that Mr. Skelton was acting in the course of his employment (thus opening the door for viacarious liability to attach to Morrisons).  These are not necessarily easy to reconcile and as a consequence it may well end up in the Court of Appeal (or indeed, possibly even the Supreme Court) in due course.  Morrisons have, as I previously noted, been granted permission to appeal the vicarious liability finding to the Court of Appeal by Langstaff J.

The Defendants essentially attacked the vicarious liability position using a three pronged approach.  First, they argued, that the statutory scheme of the Data Protection Act 1998 excluded the possibility of there being vicarious liability at common law.  Their second prong was very much based upon the premise of their first:  they argued that if the statute impliedly excluded vicarious liability, it would not be constitutionally possible for the courts to impute such liability into the scheme.  The third prong of their attack was based on Mr. Skelton acting as his own independent data controller.  If he was so acting, the Defendants argued; then he could not also be acting in the course of his employment such as to make Morrisons vicariously liable for his actions.

Langstaff J, in holding that Morrisons were vicariously liable, looked closely at the timeline of events which had occurred.  Mr Justice Langstaff took the view that “what happened was a seamless and continuous sequence of events” [para 183].  The actions of Mr. Skelton as an independent data controller were sufficiently linked to his employment at Morrisons so as to have the result of Morrisons being vicariously liable for his actions as an independent data controller.

It is clear from paragraph 196 of the judgment that Langstaff J was troubled by the conclusions that he had reached.  One point was singled out for particular attention as the one which “most troubled” him; that was that by finding Morrisons as being vicariously liable he had in effect assisted Mr. Skelton in his criminal endeavours.  The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burden to Morrisons is not going to be insignificant.  That will represent a harm caused to Morrisons; perhaps harm that was not envisaged by Mr. Skelton when he started upon his nefarious activities; however, it is a harm that will be suffered by Morrisons arising.   The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burdern to Morrisons is not going to be insignificant.

It remains to be seen whether Morrisons will appeal the judgement; they already have permission to take the matter to the Court of Appeal.  Of course, the judgment of Lansgatff J is not binding upon any court in Scotland; however, it will likely be considered as persuasive authority in both the Sheriff Court and the Court of Session.  Data Controllers in Scotland should pay as much attention to the case as those based in England and Wales.

Alistair Sloan

If you would like to discuss an issue related to data protection, or any other information law matter, then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Vicarious Liability in Data Protection Law

This Morning Mr Justice Langstaff, sitting in the High Court of Justice, handed down a judgment in the case of Various Claimants –v- Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB).  In March 2014 the Defenders, Morrisons, revealed that its payroll data for the majority of its staff had been stolen.  The data which had been taken had been published online on a file sharing website earlier that year; it was discovered in March when copies of the data were sent anonymously to three newspapers together with a link to the online published version. The investigation that followed resulted in Andrew Skelton, formerly a senior Manager with the company, being convicted of fraud at Bradford Crown Court in 2015.  Mr Skelton was sentenced to eight years’ imprisonment.

In total around 100,000 of the Defenders’ 120,000 employees were affected by the actions of Mr Skelton.  Of those, 5,518 employees raised proceedings in the High Court claiming compensation for a breach a statutory duty (under the Data Protection act 1998) and also at common law.  The Claimants’ primary position before the court was that the Defenders were directly liable.  However, they argued that, in the alternative, the Defenders were vicariously liable.

In a judgment which is 59 pages long and contains 198 paragraphs, Langstaff J, dismissed the direct liabiality argument; however, found that the Defenders were vicariously liable.  This is an important judgement in the field of privacy and data protection and it is one that employers should certainly be aware of.  The court has found a data controller liable to the claimants arising out of a criminal enterprise by one of their employees.  It is certainly worthy of much fuller analysis and I will provide such an analysis on this blog in due course; however, it is a lengthy judgment and it will take some time to properly read and digest.

It should be noted that this may not be the end of this litigation; Morrisons have been given permission by Langstaff J to appeal the finding on vicarious liability to the Court of Appeal if they so wish.  We await to see whether Morrisons decide to appeal the decision.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Compensation in Data Protection law

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress.  The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82.  The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated.  Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller.  The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test.  No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.”  The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors.  In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them).  Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered.  Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions.  There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high.  For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7.  That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union.  Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998).  In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court.  However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

Alistair Sloan

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.