Driver v CPS

[2022] EWHC 2500 (KB)

Case details

Neutral citation: [2022] EWHC 2500 (KB)
Court: High Court
Judgment date: 10 October 2022
Subjects: Data protectionPrivacyHuman rightsMedia law
Keywords: GDPRData Protection Act 2018law enforcement processingpersonal datamisuse of private informationArticle 8necessity testCrown Prosecution Servicedamages
Outcome: other

Case summary

The High Court determined that an email sent on 5 June 2019 by a Crown Prosecution Service lawyer to a member of the public constituted processing of the claimant's personal data for law enforcement purposes and therefore fell within Part 3 of the Data Protection Act 2018. The court held that the CPS had breached the first, second and sixth data protection principles in Part 3 because the disclosure to the member of the public was not necessary or proportionate and the CPS failed to demonstrate adequate organisational safeguards.

The court rejected the claimant's claim for misuse of private information and his Human Rights Act 1998 claim because, on the particular facts, there was no reasonable expectation of privacy in the information disclosed (the fact that a charging file had been referred to the CPS), given the prior public reporting and the claimant's own conduct. The claimant was awarded modest non‑pecuniary damages of £250 and a declaration that the CPS breached Part 3 of the DPA 2018.

Case abstract

The claimant, a prominent local politician, complained that a CPS lawyer's email to a member of the public stating that a "charging file" had been referred to the CPS in relation to Operation Sheridan unlawfully processed his personal data, amounted to misuse of private information and breached his Article 8 rights under the Human Rights Act 1998. The CPS initially admitted a breach but later sought to resile, contending the email did not contain personal data, that processing was lawful, and that the information was already in the public domain.

Procedural posture and relief sought:

The claim was heard at first instance in the Queen's Bench Division, Media and Communications List.
The claimant sought damages (not exceeding £2,000) and declaratory relief for breach of the GDPR/DPA 2018, misuse of private information and breach of ECHR rights (extension of time pleaded for the HRA claim).

Issues framed and decided:

Whether the June 2019 email contained the claimant's personal data and, if so, whether the processing was for law enforcement purposes (so Part 3 DPA 2018 applied) or general processing (GDPR).
Whether the CPS contravened the DPA 2018 principles (first, second and sixth).
Whether the email disclosed private information in which the claimant had a reasonable expectation of privacy (the McKennitt two-stage test) and, if so, whether Article 10 outweighed Article 8.
Whether to extend time for the HRA claim and whether Article 8 was engaged.
Appropriate remedy if liability established.

Court’s reasoning in brief:

The court accepted that the processing was for law enforcement purposes and therefore Part 3 of the DPA 2018 applied.
The email, although not naming the claimant, was held to contain his personal data because reference to Operation Sheridan, taken together with widely available public material and the small number of suspects, allowed him to be identified.
The CPS failed to prove that disclosure to this particular member of the public was necessary or proportionate in the sense required by Part 3; there was no pressing social need to update that enquirer and the CPS produced no evidence of any consideration of necessity, proportionality or internal policy application. Accordingly the first and second data protection principles were breached. The CPS also failed to demonstrate appropriate organisational measures, breaching the sixth principle.
On misuse of private information and Article 8, the court concluded that on the particular facts (lengthy publicity about Operation Sheridan, the claimant's own press statement in 2016, the Fitzgerald litigation and the August 2018 reporting that a file had been sent to the CPS) there was no reasonable expectation of privacy in the fact that a charging file had been referred to the CPS and the MPI and HRA claims therefore failed. Time was not extended for the HRA claim because it would have failed on the merits.
Given the limited distress found to have been caused by this breach, the claimant was awarded modest non‑pecuniary damages (£250) and a declaration of breach.

Held

At first instance the court upheld the claimant's data protection claim under Part 3 of the Data Protection Act 2018 (finding breaches of the first, second and sixth data protection principles) and awarded damages of £250 together with a declaration of breach. The court dismissed the claims for misuse of private information and under the Human Rights Act 1998 on the basis that, in the particular factual context, there was no reasonable expectation of privacy in the information disclosed.

Cited cases

R v Monopolies and Mergers Commission ex parte Argyll Group plc, [1986] 1 WLR 763 neutral
Campbell v MGN Ltd, [2004] 2 AC 457 neutral
Durant v Financial Services Authority, [2004] FSR 28 neutral
Stone v South East Coast Strategic Health Authority, [2006] EWHC 1668 (Admin) neutral
Corporate Officer of the House of Commons v JC, [2008] EWHC 1084 (Admin) neutral
Mosley v News Group Newspapers Ltd, [2008] EWHC 687 (QB) neutral
McKennitt v Ash, [2008] QB 73 neutral
Murray v Express Newspapers plc, [2009] Ch 481 neutral
Farrand v The Information Commissioner and the London Fire and Emergency Planning Authority, [2014] UKUT 0310 (AAC) neutral
PJS v News Group Newspapers Ltd, [2016] AC 1081 neutral
Guriev v Community Safety Development (UK) Ltd, [2016] EWHC 643 (QB) neutral
Khuja v Times Newspapers Ltd, [2017] 3 WLR 351 neutral
Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, [2017] EWCA Civ 121 neutral
Richard v BBC and South Yorkshire Police, [2018] 3 WLR 171 neutral
R (Fitzgerald) v Preston Crown Court and Chief Constable of Lancashire Police, [2018] EWHC 804 (Admin) neutral
ZXC v Bloomberg LP, [2020] 3 WLR 838 neutral
ST (a child) and RF v L Primary School, [2020] EWHC 1046 (QB) neutral
Aven v Orbis Business Intelligence Limited, [2020] EWHC 1812 (QB) neutral
R (Elgizouli) v Secretary of State for the Home Department, [2021] AC 937 neutral
Bloomberg LP v ZXC, [2022] 2 WLR 424 neutral

Legislation cited

Data Protection Act 2018: Part 3
Data Protection Act 2018: Section 169
Data Protection Act 2018: Section 31
Data Protection Act 2018: Section 32
Data Protection Act 2018: Section 34
Data Protection Act 2018: Section 35(5) – The first data protection principle (section 35) in relation to sensitive processing
Data Protection Act 2018: Section 36
Data Protection Act 2018: Section 40
Data Protection Act 2018: Section 42 – Safeguards for sensitive processing and policy documentation
Data Protection Act 2018: Schedule 7
Data Protection Act 2018: Schedule 8
Human Rights Act 1998: Section 7(1),7(7) – 7(1) and 7(7)
Prosecution of Offences Act 1985: Section 3(2)(a)
Regulation (EU) 2016/679: Regulation 2016/679 – (EU) 2016/679 (GDPR)