Controller In Breach Of Data Protection Laws Ordered To Pay £18,000 Per Person Affected

Aven and others v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB)

There are very few data protection cases that give an indication as to the level of damages likely to be received by the data subject where a data controller is in breach of data protection law.

This case however does helpfully provide some guidance in respect of the quantification of damages in cases such as this.


The Claimants were three business men of Russian or Ukrainian origin. The Defendant was an English company that provided strategic insight into investigative services to its clients.

One of the directors of the Defendant was the author of a document referred to as the “dossier”, which was essentially a memorandum produced by the Defendant in 2016 in respect of an investigation into Donald Trump and his alleged links with Russia and President Putin.

The Claimants’ case was that Memorandum 112 of the Dossier contained five propositions each of which contained personal data about them. The Claimants alleged that the personal data was processed in breach of the first and fourth principle of Data Protection Act 1998 (DPA 1998) (being the fair and lawful principle and the accuracy principle respectively).


The Court awarded a very limited order for rectification requiring the Defendant to mark its copy of Memorandum 112 so that readers would be aware of the decision reached in this case.

The Court also awarded compensation under section 13 DPA 1998. It held that the compensation should account for the Claimant’s distress and loss of control over their data. It was also held that the law is clear that damage is not limited to material loss and therefore reputational damage should able be factored into the award.

The Court awarded damages of £18,000.00 to each of the Claimants.


The Court emphasised on a number of occasions that the case is not a defamation claim. Rather interestingly however the decision reached by the Court in the case seems to be based upon concepts deriving from defamation law.

There is therefore some suggestion that the Court’s method of dealing with certain data protection claims may be starting to align with the method for dealing with defamation claims.

It is important to note that whilst the dispute relates to breaches of DPA 1998 which has since been repealed, the judgment will still be relevant to disputes under the GDPR and Data Protection Act 2018.

Aven Orbis BusinessHow can we help?

Ruby Ashby is an Associate in our expert Dispute Resolution team.

For any queries relating to the topics discussed in this article, please call Ruby or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or contact us via our online form.