Defamation, Data Protection and Journalism

It has for some time been recognised that, with changes to the law of defamation, there might be increasing use of an alternative cause of action under section 13 of the Data Protection Act 1998 (“DPA”). This is not perhaps surprising, as defamation necessarily involves the use of personal data (often sensitive) and data protection law, subject to some important exceptions, prevents any use of personal data which is unfair or inaccurate. For a lawyers perspective on these issues see this article on the highly-recommended Panopticon Information Law blog: .

That is not to say however that aggrieved plaintiffs will be likely to obtain a damages bonanza of the type which has been awarded in some historical defamation cases. In the view of the Court of Appeal in Halliday v Creation Consumer Finance Ltd: “… it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation..” ([2013] EWCA Civ 333, at paragraph 36). In that case damages of only £1 were awarded under s13(1) DPA and an additional £750 for distress under s13(2). In another recent case CR v Chief Constable PSNI ([2014] NICA 54, at paragraph 24) the total awarded under DPA was simply £1. Similarly where there is a successful claim for breach of confidence, it is unlikely that anything additional will be awarded for the breach of DPA, which will usually be established,  as a breach of confidence makes the use of personal data unlawful and therefore a breach of the first data protection principle. For example in Weller and others v Associated Newspapers Ltd ([2014] EWHC 1163 QB at paragraph 23) the court considered that the claim under DPA “did not add anything of significance to the primary claims for damages”.

The situation becomes even more complicated where the alleged defamation is published in the course of “journalism”. Then the exemption under s32 DPA may well come into play. In essence processing personal data for the purposes of journalism may be exempted from key provisions of the DPA if in the reasonable opinion of the data controller compliance with a particular provision would be incompatible with the journalistic purpose. This is potentially a very wide exemption. In theory it could even justify publishing unfair and inaccurate data by dis-applying the first and fourth data protection principles, although it is hard to imagine forming a reasonable opinion to that effect.

This exemption was discussed in a recent PressGazette article: “Victims of media abuse may turn to the Data Protection Act now that it is harder to bring libel actions” ( ). That article however rather oversimplifies the effect of the s32 exemption and is in fact inaccurate in suggesting that the PSNI case referred to above resulted in an award of £20000 under DPA. That sum was awarded for negligence in relation to Post Traumatic Stress Disorder. The DPA award was a miserly £1.

The article suggests that the s32 exemption does not apply to a claim for compensation under s13 DPA. That is not strictly correct. Although s32 does not specifically mention s13, a s13 claim will usually be based on a breach of s4(4) of the Act i.e. a breach of one or more of the data protection principles, and s32(2) allows a defence in such a case, unless the principle breached is only s7. This would not usually the case as a plaintiff would typically be alleging against a publisher breaches of the first (unfair or unlawful for breach of confidence), third (irrelevant or excessive) and fourth (inaccurate) principles.

In summary, whilst disgruntled plaintiffs may be pleased to have a DPA claim in their armoury, it is not going to be a panacea for a multitude of new substantial claims. Firstly damages will often be quite limited, and may not add to other causes of action such as breach of confidence, and in many cases the s32 exemption may well bite. In that context it should be noted that the availability of this defence may not be limited to ‘traditional’ journalistic sources – see. e.g. “Are we all journalists” . But that is another story.

This entry was posted in GDPR. Bookmark the permalink.

Leave a Reply