The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Limitation and Lloyd v Google Trump Trump’s Data Claim

28 February 2024

On 1 February 2024, judgment was handed down in President Donald J. Trump v Orbis Business Intelligence Limited [2024] EWHC 173 (KB), the third case to come before the High Court concerning the so-called “Steele Dossier”.

The Steele Dossier

In June 2016, Orbis, an English company providing strategic intelligence and investigative services to clients globally, was engaged by a US consultancy, acting on behalf of US law firm, to collect and provide intelligence concerning any Russian efforts to influence the 2016 US Presidential election and any links between Russia and the Claimant. Orbis produced 16 pre-election memoranda including two which were the subject of these proceedings.

Orbis’ Director, Christopher Steele, provided the two memoranda to the FBI in July and September 2016 respectively. Memorandum 2016/080 alleged that the Claimant had engaged in perverted sexual behaviour including the hiring of prostitutes to engage in ‘golden showers’ in the presidential suite of a hotel in Moscow, to defile the bed in which President and Mrs Obama had slept, and by his unorthodox behaviour in Russia, provided the Russian authorities with sufficient material to blackmail him. Memorandum 2016/113 alleged the Claimant paid bribes to Russian officials to further his business interests; took part in ‘sex parties’ when in St Petersburg; and arranged for or conspired in the silencing of all direct witnesses to his impropriety by coercion or bribery.

In November 2016 Mr Steele disclosed the memoranda to a former US Deputy Secretary of State; a UK national security official, and David Kamer, an aide to Senator John McCain.

The Claimant said that he was first made aware of the existence of the Dossier by then FBI Director James Comey in January 2018 during the transition period following his election. BuzzFeed had published the Dossier including the relevant two memoranda in January 2017 after Mr Kramer gave access to it. In other litigation arising out of the Steele Dossier, Warby J (as he then was) held that Oribis was not responsible for publication of the BuzzFeed Article.

Claim for Alleged Breaches of Data Protection Legislation

In October 2022, the Claimant issued a (protective) Claim Form against Orbis and Steele alleging breach of Article 5(1)(d) of the UK General Data Protection Regulation (“GDPR”) arising from the processing of inaccurate personal data; compensation pursuant to Article 82 UK GDPR and ss168 and 169 of the Data Protection Act (“DPA”) 1998 and an Order pursuant to Article 16 UK GDPR for rectification and/or Article 17 for erasure.

In December 2022 the Claimant sent a Letter of Claim to the Defendants who responded that only Orbis, not Mr Steele, was a data controller of the Claimant’s personal data. They stated that the Claimant’s data had been processed fairly, lawfully and accurately at the relevant time and that the claim was time barred as the DPA 2018 and UK GDPR came into force on 25 May 2018, “long after” they had ceased processing a copy.

In February 2023, the Claimant sought to amend the Claim to include an action under the DPA 1998, including for compensation under s13 and an order for rectification/erasure under s167.

On 3 April 2023 the Claimant submitted the Amendment Application. On 26 May 2023 the Defendant filed a Strike Out Application.

The Amendment Application

The Court applied a four-stage test in considering Civil Procedure Rule (“CPR”) 17.4:

(i)             Is it reasonably arguable that the opposed amendments are outside the applicable limitation period?

The Court rejected the Defendant’s argument – based on Rudd v Bridle [2019] EWHC 893 (QB) (a data protection claim) and Sicri v Associated Newspapers Ltd [2020] EWHC 3541 (QB), [2021] 4 WLR 9 (a misuse of private information claim) – that the limitation period ought to be one year. Steyn J held that the limitation period for data protection claims is six years.

(ii)           Did the proposed amendments seek to add or substitute a new cause of action?

Yes. A claim brought under the DPA 1998 is brought under a different statutory regime to a claim under the UK GDPR or the DPA 2018: a claim under the former can only relate to the processing of personal data before 25 May 2018 and the latter to processing after this date.

(iii)          Does the new cause of action arise out of the same or substantially the same facts as are already in issue in the existing claim?

No. Although the claims were based on the same memoranda and the complaint of inaccuracy was identical, the preparing and dissemination of the Dossier aspects could only be brought under the DPA 1998 regime and not the DPA 2018/UK GDPR regime: the time periods of the new and existing claim were mutually exclusive.

(iv)          Should the Court exercise its discretion to allow the amendment?

As the answer to (iii) was ‘no’, question (iv) does not arise but in any event the Court would not have exercised discretion: the preparation and dissemination aspects of the claim were outside the limitation period and there was no explanation for the delay (the Claimant serving a presidency for a period being insufficient). The Court did not accept that the Defendant would not be prejudiced by the delay.

The Court rejected the Amendment Application.

Strike Out

The Claim for damages for reputational harm allegedly arising through dissemination of the Dossier (the DPA 1998 claim) was only maintainable if the amendment application was successful, and so this aspect fell to be struck out.

The Court went on to find that in respect of the remaining part of the pleaded Claim, the Claimant did not have reasonable grounds for claiming, or a real prospect of obtaining, either of the remedies sought – namely a compensation or compliance order.

There was no pleaded processing other than (limited) retention and storage from 25 May 2018 (when the Memoranda were publicly available). It could not sensibly be claimed that the mere fact that the Defendant held copies of the Memoranda caused the Claimant distress.

Steyn J also held that the Claimant’s alternative contention – that he was entitled to nominal damages if he established the inaccuracy of the Personal Data – was contrary to Lloyd v Google LLC [2021] UKSC 50 [2022] AC 1217, in which the Supreme Court held that there was no entitlement to s13 DPA 1998 compensation based solely on proof of a (non-trivial) contravention of a requirement of the Act in relation to any personal data of which the claimant was the subject.

The Court also gave summary judgment on the compliance order and concluded that “In reality, the Claimant is seeking court findings to vindicate his reputation in circumstances where he has not been able to formulate any viable remedy which he would have a real prospect of obtaining…”.

Conclusions

This decision considers the intersections between claims in defamation, misuse of private information and data protection and, in particular, provides clarity regarding the limitation period for data claims alleging reputational damage. It applies Lloyd v Google to the DPA 2018 / UK GDPR regime. And it provides useful material for those seeking to defend claims for distress based on storage/retention of personal data rather than creation and dissemination.


Further reading: President Donald J. Trump v Orbis Business Intelligence Limited [2024] EWHC 173 (KB)


Authors

Francesca Whitelaw KC

Call 2003 | Silk 2023

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)