In January 2017, Buzzfeed News published an online article headlined "These Reports Allege Trump Has Deep Ties to Russia". The underlying source material for this article became known as the 'Trump-Russia dossier' or the 'Steele dossier', so-called because Christopher Steele, a former MI6 officer, was understood to be the sole author.

Three individuals named in the dossier subsequently raised a claim for a breach of the data protection legislation against Orbis Business Intelligence Limited, the company that was instructed to prepare the dossier. The dossier alleged that the three individuals did favours for President Putin, gave him informal advice on foreign policy and used a 'driver' and 'bag carrier' to deliver large amounts of illicit cash to President Putin when he was deputy mayor of St Petersburg.

The High Court of England and Wales has recently found in the claimants' favour and awarded them damages for distress (see here for the judgment).

What was unusual about this claim?

The judge noted that the UK's data protection legislation is complex and technical, and that it has been likened to a "thicket". The judgment in this case is equally long and complex and addresses many aspects of the data protection legislation.

Although this claim was brought under the relevant data protection legislation, the subject matter was similar to a claim for defamation. The damages awarded were also higher than those previously awarded for cases involving personal data breaches. Accordingly, the focus of this article is on the judge's adoption and alignment of the principles that apply to the law of defamation and those of data protection law; and the entitlement to, and assessment of, damages.

What is personal data?

The parts of the dossier that the claimants took issue with did not mention them by name. However, their position was that the sentences should not be read literally. Instead, the words should be given their natural and ordinary meaning, read in the proper context of the whole document. Orbis had argued the focus should be on the items of information and, specifically, the items of data, rather than on the document in the round. In other words, each item of personal data should be dealt with and considered discretely. The judge characterised these rival approaches as 'holistic' and 'atomised'.

Rejecting Orbis' atomised approach, the judge said: "In my judgment, the holistic approach is consistent with principle and authority, and the right approach to the facts of this case." This is because the dossier is a report and not a bare list of separate and discrete propositions so it would be artificial to read any individual sentence in isolation.

Are damages for reputational harm recoverable?

The judge considered that damages were recoverable, pointing to the Court of Appeal's decisions in Vidal-Hall v Google Inc [2015] EWCA Civ 311 and Lloyd v Google LLC [2019] EWCA Civ 1599 (see here for our update on that case). The former provides that 'damage' is not confined to material loss so compensation for distress is recoverable in any case. The latter provides that compensation is recoverable for a contravention that interferes with the data subject's control over their data, even if this does not cause material damage or distress.

Therefore, the judge concluded that "if, as the authorities make clear, damage is not limited to material loss, it seems hard to exclude [damage for reputational harm] as a matter of principle", and that "in a case such as this, where the inaccurate information is seriously defamatory, that seems right".

How should the level of damages be assessed?

The judge said the approach to the assessment of damages should follow established common law principles, and that meant following the law of defamation. He said: "The principles that apply in respect of the identification of recoverable loss, aggravation, mitigation, and the assessment of damages in this area are to be found in the law and practice of defamation. To adopt any other approach would lead to incoherence in the law."

Accordingly, despite the "moderating effect" of the judgment on any harm caused, the judge awarded each claimant compensation of £18,000.

Comment - should defendants 'Steele' themselves for future claims?

At first glance, the judgment appears unusual because the judge champions the alignment of the legal principles of defamation and data protection. However, the judge had previously adopted this approach in the case of NT1 v Google LLC [2018] EWHC 799 (QB), where he applied a familiar principle from the law of defamation - to work out the meaning, the document must be viewed in the round.

Defendants should be alert to the fact that, according to this judge, the courts are free to award damages for reputational harm in claims that are only brought under data protection legislation, as opposed to in conjunction with a claim for defamation.

The judge's reasoning as to why a sum of £18,000 was appropriate is not clear. It is also significantly higher than the level of damages awarded in comparable cases for distress following a personal data breach. This uncertainty is unhelpful because it means that settling claims early may be more difficult, leading to more expense or even litigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.