The Court of Appeal has overturned what had seemed an important, if controversial, judgment on the legal duties owed by Credit Reference Agencies to those about whom they hold records and issue reports.
I blogged in May last year about a high court claim for damages under section 13 of the Data Protection Act 1998 (DPA). The claimant, Mr Smeaton, successfully argued that, as a result of processing inaccurate data about his credit history, the Credit Reference Agency (CRA) Equifax was in breach of the fourth data protection principle, and that Equifax’s obligations under the DPA as a data controller meant that it owed a duty of care to Smeaton in tort. Accordingly, damages were owed (to be assessed at a later date).
The case has now been comprehensively overturned in the Court of Appeal. Primarily, the appeal succeeded because the judge’s findings on causation (i.e. had the inaccuracy in Mr Smeaton’s credit record led to the detriment pleaded?) were not sustainable. Lord Justice Tomlinson, giving the lead judgment, was highly critical of the judge’s approach
the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely (¶11)
That effectively dispensed with the claim for damages, but Equifax, clearly concerned about the implications of the original findings regarding a breach of the DPA and consequent breach of a duty of care, asked the Appeal Court to consider these points as well.
Was there a DPA breach?
Tomlinson LJ held that the procedures which obtained at the time of the alleged DPA breach, regarding the annulment (and communication thereof) of bankruptcy orders, had never been the subject of the expression of any concern by either the Information Commissioner or the Insolvency Service. In the first instance the judge had observed that inaccurate personal data could be “particularly damaging”. Tomlinson LJ did not demur, but said that
it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file (¶59)
Those arrangements are described in guidance both published by or approved by the Information Commissioner, and include the fact that, in the event of a failed credit application
[the] lender must tell a failed applicant by reference to the data of which CRA an application was declined, if it was, and the failed applicant, like any consumer, has the right to obtain a copy of his file from a CRA on payment of £2.00
and mistakes can thus be corrected.
Moreover, CRAs must, by reference to the Guide to Credit Scoring 2000, not decline a repeat application “solely on the grounds of having made a previously declined or accepted application to that credit grantor”. This, and other guidance, were inbuilt safeguards against the kind of detriment Mr Smeaton claimed to have suffered. Ultimately
Equifax did take steps to ensure that its bankruptcy data was accurate. It obtained the data from a reliable and authoritative source in the form of the [London] Gazette, it transferred the data accurately onto its data bases from that source and it amended its data immediately upon being made aware that it was inaccurate…the judge was wrong to conclude that Equifax had failed to take reasonable steps to ensure the accuracy of its data (¶81)
Was there a co-extensive duty of care in tort?
Here Tomlinson LJ considered the “traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty” and held comprehensively that there was not. He agreed with counsel for Equifax’s argument that
(1)It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss…
(2)It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class…
(3)It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data
(4)Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the CCA 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory (¶75)
The third of these seems to make it clear that the courts will be reluctant to allow for a notion of an actionable duty of care on data controller to process personal data fairly and lawfully. (This is in contrast, interestingly, with the situation in Ireland, whereby a statutory provision (section 7 of the Data Protection Act 1988) states that such a duty of care is owed (at least to the extent that “the law does not so provide”)).
My post on the first instance case has been one of the most-read (it’s all relative, of course – there haven’t been that many readers) so I think it only correct to post this update following the Court of Appeal judgment.