Shockwaves of the Vidal-Hall case reach Greater Manchester Police
August 11, 2016
By David Cook
It seems that we are at the end of a two year battle that has concluded with Greater Manchester Police (GMP) paying out the princely sum of £75,000 to a claimant on the basis that the police force breached her privacy, which is said to be one of the largest payments made by a force in a case of this nature.
Consideration of the basis of the claim and its context actually tells us a great deal about the “current state of play” and where we are headed.
It appears from media reports that the claimant was a victim of domestic abuse and, while agreeing to GMP referring to her case in a duly anonymised manner and in only general terms, GMP used her case as an example in training sessions and specifically: (i) revealed her full identity; (ii) referred to her medical history; and, (iii) played a recording of her distressed 999 call.
Basis of the claim
The core of the claim was that personal information had been revealed without her consent and that this had been distressing for her and had caused her psychiatric harm.
It appears from media reports that the claim was made on the basis of the misuse of private information, the breach of confidential information and of a breach of the Data Protection Act 1998 (DPA).
- Misuse of private information and breach of confidence
Article 8 of the European Convention on Human Rights protects a person’s right “to respect for his private and family life, his home and his correspondence”. This convention right has been voiced in the law of England and Wales largely through the cause of action of misuse of private information.
This cause of action was developed by the House of Lords in the case Naomi Campbell –v- Mirror Group Newspapers Limited  UKHL 22 in which Lord Hoffman acknowledged the development of the law, in that “it focuses upon the protection of human autonomy and dignity - the right to control the dissemination of information about one's private life and the right to the esteem and respect of other people”.
In considering a claim of this nature, the Courts tend to use a two stage test: (i) is there a reasonable expectation of privacy; and, (ii) do those privacy rights outweigh the other parties rights to impart that information or of the audience’s rights to receive it?
Of course, the answer to both parts of the two stage test is in the affirmative and it is therefore fairly easy to see how it was felt that misuse of private information had occurred. GMP also owed the claimant a duty of confidence in respect of that information, which had evidently been breached. Indeed, GMP admitted this early on, but argued that she had not suffered distress or loss as a result and was therefore not entitled to damages.
The DPA is fairly clear on this issue. Given that the person was identifiable from the information used in the training sessions, it was personal data covered by the DPA. Indeed, elements of the information relating to her medical history and distress during the 999 call are likely to have also been sensitive personal data under the DPA, which is a category afforded greater protections.
The core principles of the DPA, set out in Schedule 1 to the legislation, make it clear that personal data shall be processed fairly and lawfully and the processing of the personal data by GMP, not only without the person’s consent but with the person having explicitly asked them not to, is untenable.
Again, GMP conceded early on that they had breached the DPA, but the issue was one of whether she had suffered distress or loss such that a compensatory payment for damages was due.
- Recent developments in case law
In this context, the case of Google Inc –v- Judith Vidal-Hall (and others)  EWHC 13 (QB) (the Vidal-Hall case) is significant.
It was held in the Vidal-Hall case that: (i) the misuse of private information is definitively considered a tort; and, (ii) damages for a breach of the DPA could include non-pecuniary damage.
Prior to this case, the position was that damage for distress could only be recovered if financial damage had been suffered. It appears that this is the issue that GMP was hanging its hat on and it is this element that had limited the impact of the DPA on privacy law in general terms.
The judgment in the Vidal-Hall case really did signal a change in the Court’s approach to privacy cases of this nature. However, the shockwaves potentially triggered by that change was buffered by Google applying to the Supreme Court to appeal the judgment. On 30 June 2016, Google withdrew that appeal and the judgment in the Vidal-Hall case therefore stands.
Privacy landscape and the future
The potential repercussions of the Vidal-Hall case is demonstrated through the fact that around six weeks after the appeal was withdrawn, GMP settled this case through the largest pay-out ever made by a police force for a privacy breach.
We are in the midst of a changing landscape in privacy law, and those that breach in this way look likely to be skewered on the two pronged fork provided by legislation and case-law.
- The General Data Protection Regulation empowers data subjects through a harsh regime for which a breach can impact in three ways: (i) mandatory disclosure to the regulator and, in certain circumstances, to data subjects; (ii) regulatory financial penalties of up to 4% of annual worldwide turnover; and, (iii) the availability of data subjects to claim compensation (including through class action) for distress caused by a breach.
- The Vidal-Hall case demonstrates that the Courts are also seeking to empower citizens through themselves shaping the law to allow for claims by data subjects in wider circumstances than was previously the case.
The landscape is shifting for data privacy and those that process personal data are sure to be in for a rough ride if they act in a way that is non-compliant. It will be interesting to see if this GMP case signals the floodgates having been smashed open following the withdrawal of the appeal in the Vidal-Hall case.