Smeaton v Equifax Plc

The Court of Appeal allowed Equifax's appeal against HHJ Thornton's judgment. The judge below had held that Equifax breached the Data Protection Act 1998 (in particular the fourth data protection principle) by failing to ensure the accuracy of bankruptcy data on the respondent's credit file, had found a co-extensive duty of care in tort, and had concluded that those breaches caused Ability Records to be unable to obtain finance in or after mid-2006. The Court of Appeal found that (1) Equifax obtained reliable bankruptcy information from the London Gazette and used accepted industry procedures; (2) the statutory and regulatory framework meant CRAs were not under an open-ended duty to discover rescission orders (rescission need not automatically be notified to the Insolvency Service or gazetted); (3) it was unrealistic to require CRAs to lobby for changes to primary or subordinate legislation as part of the content of the data-accuracy duty; and (4) the causation finding was unsupported by the evidence because multiple adverse entries on the credit file (and not solely the rescinded bankruptcy entry) explained the refusals. The appeal court therefore reversed the judge's findings on the content of the DPA duty as applied here, on the existence of a co-extensive tort duty, and on causation.

Background and procedural posture:

• The claimant, Mr Keith Smeaton, brought proceedings after Equifax retained an inaccurate entry on his credit file recording a bankruptcy order that had been rescinded. The claim advanced at trial consisted of (i) compensation under s.13 of the Data Protection Act 1998 for damage and distress and (ii) damages in tort for breach of a common law duty of care.
• The hearing before HHJ Anthony Thornton QC was confined to three issues: whether Equifax breached the DPA, whether Equifax owed a duty of care in tort and the content of that duty, and whether any breaches caused Ability Records to be unable to obtain finance in or after mid-2006. The judge answered those issues in the claimant’s favour. Equifax appealed to the Court of Appeal.

Facts:

• A bankruptcy order had been made against Mr Smeaton in March 2001 and was rescinded by a consent Tomlin order on 22 May 2002. Equifax had placed the bankruptcy entry on Mr Smeaton’s credit file after obtaining the London Gazette advertisement. The rescission was not, in the ordinary course, automatically notified to CRAs; until 2008 CRAs obtained bankruptcy data primarily from Gazette advertisements, not from an automatic feed from the Insolvency Service.
• In June and August 2006 Mr Smeaton was refused banking services and a Small Firms Loan Guarantee application; the refusal letters referred to adverse data on his credit file. Equifax corrected the bankruptcy entry promptly after being provided with the rescission order copy in July 2006. The claimant alleged wide-ranging losses attributable to Equifax’s retention of inaccurate data.

Issues framed by the Court of Appeal:

• Whether Equifax contravened the DPA (in particular the fourth principle) by failing to take reasonable steps to ensure accuracy of its data;
• Whether a common law duty of care existed co-extensive with the statutory obligations;
• Whether the breaches (if any) caused the company to be unable to raise finance in or after mid-2006.

Court’s reasoning and conclusions:

• On the DPA duty: the court emphasised paragraph 7 of Part II of Schedule 1 to the DPA which requires consideration of whether reasonable steps were taken by the data controller. The court held Equifax used authoritative public sources (the London Gazette), uploaded data accurately, amended records promptly when notified, and adopted the later electronic feed as soon as it became available in 2008. The court concluded Equifax had taken reasonable steps and the judge below erred in holding otherwise or in requiring Equifax to seek statutory change.
• On a tort duty: the Court of Appeal rejected the judge’s conclusion that a common law duty of care arose co-extensive with the statutory obligations. The court explained one cannot derive a common law duty simply from a statutory duty and that imposing an indeterminate tort liability on CRAs would be inappropriate given the comprehensive statutory and regulatory frameworks (DPA, Consumer Credit Act, guidance) governing CRAs.
• On causation: the court found the judge’s conclusion that the bankruptcy entry alone caused the refusals and prevented subsequent attempts to obtain finance was unsupported by the documentary and other evidence. There was material adverse data other than the bankruptcy entry. The court found the causation finding to be untenable and too remote (and a break in the chain of causation for the claimed subsequent extensive harms).

Remedy and wider points:

• The Court of Appeal allowed Equifax’s appeal, answered the three trial questions in Equifax’s favour, and concluded the High Court claim should have been dismissed. The court noted the rarity of rescission cases and the established industry and statutory safeguards for correcting CRA data.

Appeal allowed. The Court of Appeal concluded Equifax had not breached the Data Protection Act in the sense found by the trial judge because it had taken reasonable steps to ensure accuracy by relying on authoritative sources (the London Gazette), correcting records when notified and implementing the electronic feed once available; the trial judge erred in imposing a co-extensive tort duty of care derived from the statutory scheme; and the causation finding that Equifax’s breaches prevented Ability Records obtaining finance was unsupported by the evidence and legally too remote.

Appeal from the High Court of Justice, Queen's Bench Division (His Honour Judge Anthony Thornton QC) [2012] EWHC 2088 (QB) to the Court of Appeal, Civil Division, [2013] EWCA Civ 108.