Damages and compensation for invasion of privacy and data protection infringements

Hulk HoganThe saga in Bollea v Gawker shows two remedies for invasion of privacy. Hulk Hogan (real name, Terry Gene Bollea; pictured left), is a former professional wrestler and American television personality. Gawker was a celebrity news and gossip blog based in New York. In October 2012, Gawker posted portions of a secretly-recorded video of Hogan having sex in 2006 with one Heather Cole, who (as Heather Clem) was the then-wife of his then-best-friend (the wonderfully-monikered radio personality Bubba “the Love Sponge” Clem). In March 2016, a jury found Gawker liable for invading Hogan’s privacy, and awarded him a total US$140m – Gawker itself was held liable for US$115m in compensatory damages (including US $60 million for emotional distress), and US$15m in punitive damages; Gawker’s CEO, Nick Denton, was held personally liable for US$10m in punitive damages.

Gawker and Denton immediately announced that they would appeal; but first Gawker, and then Denton, both soon filed for bankruptcy. In August 2016, Gawker itself was shut down, and the media group of which it was a centrepiece was sold for US$135m. This provided the funds for a settlement: in November 2016, the case was ultimately settled for US$31m; and, in March 2017, Denton came out of bankruptcy. The US$140m damages award and eventual US$31m settlement show one remedy for invasion of privacy. In particular, this raises the issue of the extent to which damages for invasion of privacy are available at Irish law – even if, in privacy claims as in so many other areas, damages in Ireland are not of the same order of magnitude as in the US.

In a plot twist that might once have been revealed by Gawker itself, it emerged that Hogan’s case had been secretly financed by Peter Thiel, a technology billionaire (after a short career as a lawyer, he co-founded Paypal, and was Facebook’s first outside investor; he is currently founder and Chair of Palantir Technologies, and a partner at VC firm Founders Fund). This was his revenge for Gawker’s outing of him as gay in December 2007. As an application of the principles of “don’t get mad; get even” and “revenge is a dish best served cold”, this is certainly a novel remedy for invasion of privacy; but it is one that is only available to American tech billionaires. More practical are claims for injunctions and damages.

Where there is a threatened invasion of privacy, by intrusion or publication, the usual remedy is to seek an injunction to prevent it. If an injunction is refused, or if the invasion of privacy has already occurred, then the plaintiff will often seek damages. Such damages will prove an important part of the enforcement architecture of the General Data Protection Regulation [GDPR] and the proposed Regulation on Privacy and Electronic Communications [Proposed ePrivacy Regulation; hereafter: PePR (my acronym)]. “Money remedies for invasion of privacy at Irish law, to provide compensation for breach of the GDPR and of the Proposed ePrivacy Regulation” was the theme of my talk for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017.

Article 82(1) GDPR provides:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …

And Article 22 PePR is in similar terms:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, …

In the case of the GDPR (and unusually for a Regulation, which has general application, is binding in its entirety, and is directly applicable in all EU countries) there will still need to be implementing legislation, in Ireland (update: Heads (pdf) now here; noted here) and the UK [the text of the German Bill is here]. The same may also be true of the PePR. When these Regulations are in force, plaintiffs or claimants whose privacy has been invaded in breach of either Regulation will be entitled to an effective judicial remedy of compensation in the national courts for material or non-material damage. The precise formulation of the right to compensation in Article 82(1) GDPR and Article 22 PePR is not as unambiguous as it might have been. In particular, it is not clear whether that formulation provides an imperative, directly effective, horizontal right to receive compensation, or whether there must be implementing legislation. Given that there will, in any case, be such legislation for many other aspects of the GDPR, the best thing to do would be to provide a right to compensation in that legislation, in a section which begins with as much of the text of the relevant Regulation as possible, and then provides that the relevant claim is tortious in nature. On the other hand, the very worst thing to do would be to replicate the strategy in section 7 of Ireland’s Data Protection Act, 1988 (also here) which led Feeney J into error in Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013), both as a matter of Irish law and as a matter of EU law. Section 13 of the UK’s Data Protection Act 1988 isn’t much better, although the Court of Appeal has made the best of it in Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015).

Apart from the implementations of the Data Protection Directive (in Ireland and the UK) and the ePrivacy Directive (in Ireland and the UK) which will be overtaken by the GDPR and the PePR, there are many other statutory provisions [including section 85 of the UK’s Copyright, Designs and Patents Act 1988 and section 114(1) of Ireland’s Copyright and Related Rights Act 2000 (also here); see also section 39(1)(e) of Ireland’s Broadcasting Act 2009 (also here) (the strategy in this respect in the UK’s Communications Act 2003 is different)] which could, in appropriate cases, be used to provide a right compensation that would satisfy the Regulations. Moreover, there are three money remedies in equity for breach of confidence [account of profits; Lord Cairns’ Act, and equitable compensation] which do not seem to have been used in many modern Irish cases (by contrast, in the UK, breach of confidence has been a clear means of vindicating privacy interests at least since the decisions of the House of Lords in Campbell v Mirror Group Newspapers [2004] 2 AC 457, [2004] UKHL 22 (6 May 2004) and Douglas v Hello! Ltd [2008] 1 AC 1, [2007] UKHL 21 (02 May 2007)). Nor does the tort of invasion of privacy at common law seem to have been very well developed at Irish law (by contrast, in the UK, the tort of misuse of private information has become a clear means of vindicating privacy interests at least since the decisions of the Court of Appeal in Vidal-Hall (above) and Representative Claimants v MGN Ltd [2017] QB 149, [2015] EWCA Civ 1291 (17 December 2015)). Nevertheless, these private law claims and remedies could – in both Ireland and the UK – very easily be relied upon in appropriate cases to provide a right compensation that would satisfy the Regulations.

The reason for the comparative underdevelopment in Ireland of the private law claims and remedies in equity and at common law is probably the brooding omnipresence that is Bunreacht na hÉireann [the Irish Constitution]. In privacy cases, analysis tends to begin and end with a horizontal application of the constitutional right to privacy [eg, Kennedy v Ireland [1987] IR 587, [1988] ILRM 472 (12 January 1987) (doc | pdf); Gray v Minister for Justice [2007] 2 IR 654, [2007] IEHC 52 (17 January 2007) (discussed here, here, and here); Herrity v Associated Newspapers [2009] 1 IR 336, 347, [2008] IEHC 249 (18 July 2008) (discussed here); and Sinnott v Carlow Nationalist (High Court, unreported, 30 July 2008, Budd J) “Court increases payout to GAA player over photo” Irish Times 31 July 2008; (discussed here, here and here; see also here, here, here, here, and here]. It could plainly be relied upon in appropriate cases to provide a right compensation that would satisfy the Regulations.

However, the rise of the constitutional action at the expense of private law claims and remedies has had an unnecessarily baleful effect in Ireland on the action for breach of confidence in equity and the tort of invasion of privacy at common law. The principles underpinning these claims remedies are unclear and need to be rationalised, not only in their own terms, but also to provide a right to compensation that would satisfy the Regulations. But that has not happened because of the overwhelming magnetic attraction of the Constitution. The simplest solution here would be for the Irish courts to insist that they will reach the constitutional issues last. Rather than providing a horizontal cause of action, and reinventing the wheel when it comes to issues such as causation, remoteness, measures of damages, limitation periods, contributory negligence, mitigation, and damages jurisdictions in the various courts, the proper role of the Constitution would instead be to guide the development of the private law cause of action, and to shape the contours of the claim and remedy. Commonwealth cases could provide guides for the development of claims to equitable compensation for breach of confidence, and for the development of a tort of invasion of privacy. UK cases could provide guidance on questions of quantum.

It is necessary that Irish law should be clear as to the principles on foot of which compensation will be sought for breach of the Regulations. Case-law in the UK is much further down the road. Nevertheless, a coherent taxonomy of money remedies for invasion of privacy at Irish law is within the interpretative grasp of the Irish courts. The advent of the GDPR and the PePR may be just the spur needed to sort out this important area of the law, once and for all.