Aven v Orbis – Man of Steele or a new hybrid in defamation and data protection claims?
The last few years have seen a number of pretty seismic developments in the field of media law, starting with the coming into force of the Defamation Act 2013. It introduced the new requirement of “serious harm” to at least be likely before a defamation claim could be brought in the UK courts. Against the backdrop of a number of court decisions fleshing out exactly what “harm” and evidence to demonstrate it is required to being a successful claim, the number of defamation claims issued dropped over a number of years until a recent resurgence, largely driven by disputes involving allegations made via social media.
In the meantime, however, a number of landmark damages claims based on breaches of Data Protection law and the coming into force of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 have served to make it easier for aggrieved parties to bring a civil data breach claim. Although damages awards in relatively small number of data breach claims which have made it to court remain relatively modest, the spectre of the data breach “Class Action” still looms large over Data Controllers up and down the UK, and claimant law firms are already running several group claims which may yet help to clarify (at least in general terms) the level of damages which the Court will award for what may be seen by many as fairly trivial misuses of personal data. In particular, the Supreme Court limited Morrisons’ exposure to a damages claim based upon the misconduct of a former employer and may yet do the same when it deals with Google’s appeal over a group action based on misuse of browser-generated data in the delivery of digital advertising.
Data breaches have, as a result, become a viable method of pursuing compensation where defamation claims may potentially be more difficult to pursue (particularly where the underlying information is true). The court has been prepared on a number of occasions to treat the issues that arise in cases involving a breach of data protection law via the processing of inaccurate personal data relating to a claimant in a similar, if not the same, manner as they would an unjustifiable defamatory allegation designed to affect the claimant’s reputation. More often than not, a data protection claim is pursued at the same time as a defamation claim and based on the same facts – in fact, the court has gone so far as to explicitly state that there is no reason in principle why data protection claims can’t be linked to defamation claims and even provide an alternative means of redress, provided that these cases are carefully managed.
That said, several current claims are still based on contraventions of the previous Data Protection Act 1988, as clarified by the decision in Vidal-Hall v Google Inc.  EWCA Civ 311, which first opened the door to claims relating to “non-material” loss such as distress caused by a data breach as opposed to specific financial or physical loss. The GDPR has since served to reflect the court’s judgment in Vidal-Hall and a number of other significant decisions by enshrining a claimant’s statutory right to seek compensation for such “non-material” damage, with the fear that doing so would unleash a flood of low-value, high-cost civil data breach claims and create a huge potential financial burden on Data Controllers.
This general background brings us to the specific, and fascinating, case of Aven, Fridman & Khan v Orbis Business Intelligence Limited  EWHC 1812. It’s not just a case of legal significance but one with a wider political dimension as it deals with the now-infamous “Steele Dossier”, compiled by the defendant during its investigations into whether or not there were any links between the Russian Government, President Vladimir Putin and President Donald Trump. The Dossier set out a number of findings, including several which included what the claimants alleged was inaccurate personal data relating to them which had been unfairly and unlawfully “processed” by way of inclusion. As a result, the claimants pursued a claim in damages for distress pursuant to the 1998 Act and other remedies, including an order for rectification by way of correction of the allegedly inaccurate contents of the Dossier.
In its judgment, the High Court found that one of Orbis’ allegations in the Dossier, specifically relating to an alleged delivery of illicit cash to Vladimir Putin, was inaccurate. As such, its inclusion in the Dossier without Orbis having taken any reasonable steps to validate and verify the claim which would have supported their position constituted a breach of the Fourth Data Protection Principle (which required any personal data “processed” by the relevant Data Controller to be accurate). As such, the claim was that Orbis had processed the claimants’ personal data in an unfair and unlawful manner, breaching the First Data Protection Principle in the 1998 Act. As a result, Messrs Aven and Fridman were awarded £18,000 each as compensation for distress suffered as a result of Orbis’ Breach, along with a limited order for rectification. However, the court also found that no other breaches of the 1998 Act had been established by the claimants.
Of particular interest is the fact that the damages awarded in this case were not confined to material loss, as per Vidal-Hall, and the Court’s confirmation that compensation for distress was recoverable by the claimants in any event, which could in principle include compensation for “reputational harm”, only usually recoverable via a defamation claim. Similarly, given the fact that these particular claimants were of “robust character, not given to undue self-pity”, the award was relatively low and arguably sets a “ceiling” for similar claims brought under the GDPR and 2018 Act, although this judgment is particularly fact-sensitive, involving disclosure which the Defendant sought to justify on the basis of national security concerns and based on an extraordinary set of circumstances.
Similarly, in deciding whether or not the personal data processed by Orbis relating to the claimants was accurate, the court relied on a framework of principles based on existing defamation, as opposed to data protection, law. Facts within the Steele dossier were separated from opinions (as would be the case in a defamation claim where a defence of honest opinion was relied upon) and the various “Chase” levels of defamatory meaning (grounds to investigate, grounds to suspect and guilt) were applied(which have a direct bearing upon the amount of damages awarded to a successful claimant based on the perceived seriousness of the allegation).
In particular, the care which Mr. Steele had taken to verify the allegations within the Dossier over and above relying on a single source was a key issue, even where other allegations had been more rigorously checked. Most of the Dossier’s conclusions were found to be reasonable in its wider context, containing general, credible and less-significant allegations than that of the illicit payment justifying the Court’s decision.
Although case law on the amount of damages to be awarded for non-material distress claims as a result of an breach of the GDPR and/or 2018 Act remains sparse at best(hence the reason why this case is potentially particularly significant) it remains to be seen exactly what long-term effect the judgment in Aven v Orbis will have in the mid-to-long term. In particular, although the damages award of £18,000 may have been relatively easy to justify in a defamation context based on the allegations in dispute, the lack of detail as to how it could be justified in a data protection context may serve to water down its impact.
This is, as referred to above, a very specific case dealing with a very specific set of allegations, and while the use of defamation principles (which deal with damage to reputation) as opposed to creating unique principles applicable to unlawful processing of personal data may have avoided raising the generally-accepted high watermark in data breach damages for the time being, a more “vulnerable” claimant may yet recover a significantly higher award in damages for processing of inaccurate data or other breaches of the Data Protection principles. What is clear, however, is that civil Data Breach claims brought by Data Subjects who are more aware of their rights, the operation of the various Data Protection Principles and the availability of remedies when they are breached will continue to be pursued, in greater numbers and potentially involving higher awards in damages for both damage to reputation as well as distress and “loss of control” of their Personal Data. The genie is unlikely to be put back in this particular bottle for some time to come.