President Donald J Trump v Orbis Business Intelligence Limited

The claimant sought to amend a claim form to add a cause of action under the Data Protection Act 1998 and pursued a claim under the UK GDPR and the Data Protection Act 2018 arising from two memoranda in the ‘Steele Dossier’. The court applied CPR 17.4 and the four-stage test (Mullaley) to determine whether the proposed DPA 1998 claim could be added after expiry of limitation. The application to amend was refused because the DPA 1998 cause of action was a new claim arising from different processing (pre-2018 preparation and dissemination) and not the ‘same or substantially the same facts’ as the existing UK GDPR/DPA 2018 claim (which concerned storage/retention from 25 May 2018). The remaining UK GDPR/DPA 2018 claim was summarily dismissed because the only continued processing pleaded was mere storage after 25 May 2018, which could not realistically have caused the pleaded distress or reputational loss and there was no real prospect of a useful compliance order; and the claimant could not recover nominal vindicatory damages as a matter of statute and authority (Lloyd v Google applied).

Background and parties: The claimant (former President of the United States) sued Orbis, an English company that prepared memoranda forming part of the Steele Dossier, complaining of inaccurate personal data in two pre‑election memoranda (Memoranda 080 and 113). Orbis had been engaged in 2016 by Fusion GPS; the memoranda were later published by BuzzFeed in January 2017. The claimant issued a protective claim in October 2022 under the UK GDPR and DPA 2018; particulars later sought to add a claim under the DPA 1998 and to remove Christopher Steele as a defendant.

Nature of the applications:

• An Amendment Application under CPR 17.1/17.4 to add a DPA 1998 cause of action (and related remedies).
• Orbis’ Strike Out / Summary Judgment Application under CPR 3.4 and CPR 24 seeking dismissal for no reasonable grounds, abuse, and/or no real prospect of success.

Issues framed:

• Whether CPR 17.4 applied and, if so, whether the proposed amendment added a new claim arising out of the same or substantially the same facts as the existing claim.
• Whether the DPA 1998 claim was time‑barred.
• Whether, on the remaining UK GDPR/DPA 2018 pleadings, the claimant had reasonable grounds / a real prospect of obtaining compensation or a compliance order.
• Whether any part of the pleaded particulars should be struck out as disclosing no reasonable grounds or as abuse.

Reasoning and disposition:

1. The court examined Evans and related authority on when a claim form may be construed with later particulars; it concluded Evans applies only in cases of an obvious clerical/administrative error. Here there was no such error: the Claim Form deliberately pleaded only post‑25 May 2018 legislation and later Particulars of Claim (served months later) added the DPA 1998 cause of action after correspondence from the defendant. The documents were not contemporaneous and not intended to be read together.
2. Applying the Mullaley four‑stage test, the court found it reasonably arguable the DPA 1998 amendments were time‑barred (six‑year limitation). The proposed DPA 1998 claim was a new cause of action and did not arise out of the same or substantially the same facts because it depended on earlier acts of processing (pre‑2018 preparation and November 2016 dissemination) and alleged unfair dissemination and reputational damage not in issue in the existing claim which concerned storage/retention from 25 May 2018. Therefore CPR 17.4 could not assist and permission was refused.
3. As to the remaining UK GDPR/DPA 2018 claim, the court struck out all pleaded DPA 1998 material. It then considered whether the claimant had reasonable grounds for remedies: compensation for distress or a compliance order. The pleaded distress and reputational injury flowed from preparation and dissemination and publication by BuzzFeed, not from mere storage after 25 May 2018. There was no real prospect that retention/storage alone had caused the pleaded distress, and the court held that nominal/vindicatory damages were not available under the statutory regime in light of Lloyd v Google. An erasure or restriction order would be ineffective while the memoranda remain widely available online; the only realistic remedy (rectification) had not been pursued. The court therefore gave summary judgment for the defendant and struck out the identified parts of the particulars.

Wider context: The judgment clarifies the interaction of limitation and CPR 17.4 when a claimant seeks to add a legacy statutory cause of action after issuing under the new data protection regime, and confirms that statutory remedies under the GDPR/DPA framework require proved damage arising from the infringement.

This first‑instance claim is dismissed by summary judgment. The claimant's application to amend the claim form to add a Data Protection Act 1998 cause of action is refused because the proposed DPA 1998 claim is a new cause of action, time‑barred and not arising out of the same or substantially the same facts as the existing UK GDPR/DPA 2018 claim (CPR 17.4). The residual UK GDPR/DPA 2018 claim is dismissed on summary judgment because only storage/retention since 25 May 2018 was pleaded, which could not realistically have caused the pleaded distress or reputational loss and afforded no prospect of an effective compliance order; statutory nominal or vindicatory damages are not available under the applicable authorities.