Contains public sector information licensed under the Open Justice Licence v1.0.
England and Wales High Court (Queen's Bench Division)
(Jul 8, 2020)
Copy Cite
[2020] EWHC 1812 (QB)
Case Information
Click here to read the full judgment
Aven & Ors v. Orbis Business Intelligence Ltd
Smart Summary (Beta)
Factual and Procedural Background
This case concerns a claim for correction of personal data and other remedies under the Data Protection Act 1998 (DPA) relating to one component of a set of memoranda known as the Steele Dossier. The Dossier was produced by the Defendant, Company A, in 2016 on instructions from a Washington DC consultancy. The instructions were to provide intelligence memoranda concerning any links between Russia, its President, and a US political figure.
The Plaintiffs are three businessmen of Russian or Ukrainian origin, identified as beneficial owners of a Russian financial-investment conglomerate, Company B. The Defendant is an English company established to provide strategic insight, intelligence, and investigative services. One of its directors and principal authors of the Dossier was a former British intelligence official.
An online article published in January 2017 disclosed the Dossier, including Memorandum 112, which referenced the Plaintiffs. Memorandum 112 contained allegations concerning the Plaintiffs' relationship with the Russian President, including claims of significant favours exchanged, informal advice given on foreign policy, meetings, and involvement in delivering illicit cash in the 1990s.
The Plaintiffs commenced proceedings in May 2018 alleging that Memorandum 112 contained personal and sensitive personal data that were inaccurate and had been processed unfairly and unlawfully by the Defendant. They sought a declaration of inaccuracy, orders for blocking, erasure, destruction, rectification, notification of inaccuracies to recipients, and compensation.
The Defendant denied liability, disputing that all information in Memorandum 112 constituted personal data, denying that any data were inaccurate or sensitive personal data, and asserting that the processing complied with the DPA principles. The Defendant also relied on exemptions under the DPA relating to legal purposes and national security.
The trial was heard over four days in March 2020, with evidence from both parties, including expert evidence on Russian criminal law and anti-corruption regulations. The Defendant's main witness was the principal author of the Dossier.
Legal Issues Presented
- What is the scope and nature of the personal data relating to the Plaintiffs contained in Memorandum 112? (The Personal Data Issue)
- To what extent is the processing of those data by the Defendant protected by the Legal Purposes Exemption under the DPA? (The Legal Purposes Issue)
- To what extent is the processing protected by the National Security Exemption under the DPA? (The National Security Issue)
- Did the Defendant process any of the data in contravention of the First Data Protection Principle (fairness)? (The Fairness Issue)
- Did the Defendant process any of the data in contravention of the Fourth Data Protection Principle (accuracy)? (The Accuracy Issue)
Arguments of the Parties
Plaintiffs' Arguments
- Memorandum 112 contains personal data about the Plaintiffs, including allegations of significant favours exchanged with the Russian President, informal foreign policy advice, direct meetings, use of an intermediary to deliver illicit cash, and political bidding.
- The data are inaccurate and include sensitive personal data relating to alleged criminal conduct, contrary to the Fourth Data Protection Principle.
- The Defendant breached the First Data Protection Principle by processing data unfairly and unlawfully.
- The Defendant failed to notify the Plaintiffs or provide them opportunity to comment on inaccuracies.
- The Defendant is liable for remedies including rectification, notification to recipients, and compensation for distress and damage.
- The Defendant’s reliance on legal purposes and national security exemptions is unfounded or improperly applied.
Defendant's Arguments
- Not all information in Memorandum 112 constitutes personal data; some refer to Company B, which is not personal data.
- None of the data relate to the third Plaintiff; only the first and second Plaintiffs are referenced.
- The data are not inaccurate and do not include sensitive personal data.
- The processing complied with the First and Fourth Principles.
- The Legal Purposes Exemption applies because the data were processed for obtaining legal advice and prospective legal proceedings.
- The National Security Exemption applies to certain disclosures made to government officials and agencies.
- The Defendant took reasonable steps to ensure accuracy and is not liable for damages or other remedies.
- The Defendant denies responsibility for wider publication by third parties such as media organizations.
Table of Precedents Cited
| Precedent | Rule or Principle Cited For | Application by the Court |
|---|---|---|
| Smith v Lloyds TSB [2005] EWHC 246 (Ch) | Distinction between information about an individual and a company; personal data must relate to an identifiable living individual. | Supported the principle that information must be assessed discretely to determine if it relates to an individual. |
| Durant v Financial Services Authority [2003] EWCA Civ 1746 | Definition of personal data; data must relate to the individual and the individual must be identifiable. | Used to assess whether information in the memorandum constituted personal data of the Plaintiffs. |
| Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 | Clarification of personal data definition and data controller's responsibility for processing by others. | Applied in determining Defendant's liability for disclosures by third parties. |
| NT1 v Google LLC [2018] EWHC 799 (QB) | Approach to interpretation of data and accuracy; holistic rather than item-by-item assessment. | Adopted the holistic approach to interpreting Memorandum 112 as a coherent narrative. |
| Lord Ashcroft v Attorney-General [2002] EWHC 1122 (QB) | Interpretation of implied allegations of criminality in statements. | Considered in assessing whether allegations of illicit cash delivery implied criminal conduct. |
| Cooper v National Crime Agency [2019] EWCA Civ 16 | Interpretation of the Legal Purposes Exemption and necessity in data processing for legal proceedings. | Guided the court in assessing whether processing was necessary for legal advice and prospective proceedings. |
| Secretary of State for the Home Department v Rehman [2001] UKHL 47 | Definition and scope of national security for exemptions. | Used to interpret the National Security Exemption under the DPA. |
| Baker v Information Commissioner and the Cabinet Office (EA/2006/0045) | National security encompasses protection of democracy and constitutional systems. | Supported broad interpretation of national security purposes for exemption. |
| Scott v LGBT Foundation [2020] EWHC 483 (QB) | Oral disclosures are not caught by the DPA. | Applied in rejecting claims based on oral disclosures to media. |
| Vidal-Hall v Google Inc [2015] EWCA Civ 311 | Compensation for distress under DPA. | Supported award of damages for distress caused by data protection breaches. |
| Lloyd v Google LLC [2019] EWCA Civ 1599 | Compensation recoverable for interference with data subject's control even without material damage. | Applied in awarding compensation for breach of accuracy principle. |
| Jameel v Dow Jones, Inc [2005] EWCA Civ 75 | Limitations on declarations of falsity in defamation actions. | Referenced in declining to make a declaration of falsity in this data protection case. |
| Slipper v BBC [1991] 1 QB 283 | Requirement to plead damages for third-party republication (Slipper damages). | Applied in rejecting claims for damages based on third-party media publication. |
| Kalman v Information Commissioner and the Department of Transport (EA/2009/0111) | Interpretation of "required" in national security exemption as reasonably necessary. | Considered in alternative interpretation of s 28 exemption. |
| Barron v Vines [2016] EWHC 1226 (QB) | Principles for assessing damages for reputational harm and distress. | Guided assessment of compensation for the Plaintiffs. |
| Sloutsker v Romanova [2015] EWHC 2053 (QB) | Mitigation of damages by reasoned judgment. | Referenced in moderating compensation award. |
| Lachaux v Independent Print Ltd [2019] UKSC 27 | Rules against mitigation of damages by reference to other publications. | Applied in rejecting Defendant's attempts to rely on Plaintiffs' prior reputation. |
Court's Reasoning and Analysis
The Court began by determining the scope of personal data in Memorandum 112, adopting a holistic approach to interpretation rather than an atomised, item-by-item review. The Court held that the memorandum contained personal data relating to the Plaintiffs, including the proposition that significant favours were exchanged between the Plaintiffs and the Russian President.
Regarding the allegation of illicit cash delivery, the Court found that this constituted sensitive personal data relating to alleged criminal conduct under DPA s 2(g). The Court rejected the Defendant's attempt to require specification of the exact criminal offence, holding that the implication of criminality was clear from the memorandum's text.
The Court examined the purposes for which the data were processed. It found that the Fusion Disclosure (the initial disclosure to the Washington DC consultancy) was made for the purposes of obtaining legal advice and establishing legal rights, thus engaging the Legal Purposes Exemption under s 35(2) of the DPA. The Defendant's processing was reasonably necessary for those purposes, and the exemption applied to the Notice Requirements and partially to the accuracy principle.
Similarly, the Court considered the National Security Disclosures (disclosures to various US and UK officials) and concluded that exemption from the Notice Requirements was required for safeguarding national security. However, the Court held that the First and Fourth Principles still applied, subject to conditions.
On the issue of accuracy under the Fourth Principle, the Court found that four of the five propositions complained of were factual in nature and not matters of opinion. The Plaintiffs discharged the burden of proving inaccuracies in the memorandum, specifically concerning the illicit cash allegation and other factual assertions such as direct meetings and political bidding.
The Defendant was found to have taken reasonable steps to verify the majority of the personal data except for the allegation concerning illicit cash delivery, where the verification was inadequate given the seriousness and historical nature of the claim.
In relation to remedies, the Court declined to grant extensive orders for rectification or notification to third parties, noting the limited and private nature of the disclosures. The Court also declined to make a declaration of falsity, considering it unnecessary and potentially misleading.
Finally, the Court awarded compensation to the first and second Plaintiffs for breach of the Fourth Principle in respect of the inaccurate sensitive personal data, assessing damages for distress and reputational harm in accordance with established principles analogous to defamation law.
Holding and Implications
The Court held that:
- Memorandum 112 contained personal data about the Plaintiffs, including sensitive personal data relating to alleged criminality.
- The Fusion Disclosure was exempt from certain DPA provisions under the Legal Purposes Exemption but not from the accuracy principle entirely.
- The National Security Disclosures were exempt from the Notice Requirements but not the entire First or Fourth Principles.
- The Defendant did not breach the First Principle but breached the Fourth Principle by failing to take reasonable steps to verify the illicit cash allegation.
- The Court granted a limited order for rectification but declined wider remedies or declarations.
- Compensation of £18,000 was awarded to each of the first and second Plaintiffs for distress caused by the breach.
Implications: The decision clarifies the application of the Data Protection Act 1998 to intelligence memoranda containing personal and sensitive data, particularly the scope of legal and national security exemptions. It emphasizes a holistic approach to determining personal data and balances data protection rights with legitimate legal and national security interests. The ruling confirms that data controllers must take reasonable steps to verify sensitive allegations, especially those implying criminal conduct. The judgment is specific to the facts and does not establish broad new precedent beyond the application of existing principles to complex intelligence material.
Click here to read the full judgment
This is a paid feature.
Please subscribe to download the judgment.
Please subscribe to download the judgment.
Size
= Directly proportional to the number of citations
Color = Jurisdiction
Supreme Court
High Courts
Tribunals
Line Incoming
= Cited by Outgoing =
Cites
Use AI to get other relevant cases.
Comments