Aven v Orbis… for anyone who’s finished Netflix and turned their attention instead to watching the High Court’s Media & Communications List like a hawk, this case may already be familiar to you. For those of you who haven’t yet allowed Covid-19 to dictate your past times to this extent, this case might just have passed you by when Mr Justice Warby handed down his judgment on it in July this year.
Whilst I would only recommend a review of the entire 57 page judgment if you are currently writing your own top-secret dossier on the most powerful politician in the world, it is nevertheless worth being aware of some of the key takeaways from this case if you are a data controller compiling reports on individuals which, at some point, may need to be disclosed to third parties.
I attempt below to distil the significant parts of the judgment into a 10-minute read (shorter than a Netflix episode).
Some quick background on the case:
- In 2016, a high-ranking individual in the US Democratic Party commissioned a private investigation into links which might exist between Russia/Vladimir Putin and Donald Trump. They engaged (via a US law firm) a DC-based consultancy, Fusion GPS.
- Fusion GPS instructed a UK-based consultancy, Orbis Business Intelligence Limited to investigate. Between June and November 2016, Orbis produced 16 separate memoranda on the subject (the Orbis Memoranda). An Orbis director called Mr Steele led the investigation and authored the reports.
- The claim focussed on one report in the Orbis Memoranda, which came to be known as “the Steele Dossier” which detailed the relationship between Putin and Alfa Group, a Russian company led by 3 oligarchs: Mr Aven, Mr Fridman and Mr Khan (the Claimants).
- During 2016, in addition to providing the Steele Dossier to Fusion, Mr Steele also disclosed it to: the FBI; a former US Deputy Secretary of State; a UK government national security official; and a former US Assistant Secretary of State, who subsequently allowed the media outlet, BuzzFeed News, access to the Orbis Memoranda.
- In January 2017, Buzzfeed published an online article about Trump’s links to Russia and provided a link to all the Orbis Memoranda, including the Steele Dossier.
- The Steele Dossier contained a number of allegations to which the Claimants objected; although the allegations were couched in terms that referred mainly to Alfa Group, rather than the Claimants explicitly, they argued that any reader of the Steele Dossier would understand this to also refer to them.
- Although the claim would have more naturally sounded in defamation (being a complaint pertaining to inaccurate information published about individuals), the Claimants instead decided to try their luck using rights and remedies available under the Data Protection Act 1998 (the “DPA”), the relevant legislation in operation at the time of the events in question. To do so they:
- claimed the statements made about them/Alfa contained their personal data and, in one instance, sensitive personal data as the statement implied a criminal offence had been committed;
- alleged that Orbis, in compiling and disclosing the Steele Dossier, had breached the First Principle under the DPA (the requirement for lawful, fair and transparent processing) and the Fourth Principle (the need to ensure personal data is accurate); and
- asked the court for all remedies available, including: an order that the Steele Dossier be amended and that third parties were notified of this; a declaration that the personal data was inaccurate; and compensation for distress suffered (although little evidence was provided in support of this).
1) Defamation remedies via the back door
One suspects that the Claimants’ foremost concern was to limit reputational damage being caused by the Buzzfeed article and so their primary goals were probably to force Buzzfeed to remove or correct the article in some way, and to receive a decent amount of compensation for harm already caused.
However, a claim in defamation, especially a cross-jurisdictional one, presents various hurdles (e.g. jurisdiction, defences, the serious harm threshold) – hence perhaps the Claimants’ decision to go down the DPA route instead.
Remedies-wise, the Court ordered that the Steele Dossier be marked up to correct inaccuracies, and a significant damages award (in data protection terms) was made. The apparent ability of claimants to use the Fourth DPA Principle to bring a claim for, what is in essence, reputational harm – without all the in-built safeguards of defamation law – is unlikely to sit comfortably with many media defence lawyers.
It does, however, appear to have been the correct choice for the Claimants; a defamation claim brought against Orbis by another Russian businessman, who had very similar complaints to the Claimants in this case, has recently been dismissed by Mr Justice Warby (see Gubarev v Orbis, 30 October 2020). That claim failed, in part, due to the Claimant’s inability to demonstrate serious harm (not required in data protection cases) and, in part, because Orbis could show that it was not responsible for the publication by the media company in question (again, irrelevant in a claim such as Aven v Orbis which focusses only on the processing of personal data by Orbis itself).
2) Blurring the lines
This case borrowed from defamation law in other ways too. A key aspect of Orbis’ defence to the allegation of inaccuracy was that two of the five statements complained of were opinion, rather than fact, and therefore fell outside of the DPA’s definition of inaccuracy (which is confined to “any matter of fact”). Whilst briefly reminding himself and his readers that the trial was not a libel one, Mr Justice Warby went on to dispatch of the fact/opinion question rather succinctly by applying defamation law tests to the analysis, justified on the basis that “they reflect the experience of generations in analysing speech and striking a fair balance between the right to remedies for false factual statements, and the need to safeguard freedom of opinion”. This balancing act will sound very familiar to defamation lawyers across the country but appears to have found a new home in data protection cases.
In determining whether the allegations made about Alfa Group contained the Claimants’ personal data/sensitive personal data, Mr Justice Warby took what he described as a “holistic” (as opposed to an “atomised”) approach to interpreting the statements made. This repeated his approach from NT1 v Google, leading to a conclusion that, read as a whole, an ordinary reader would understand that the allegations made about Alfa Group referred to the Claimants, as owners of the business, and that a description of Alfa Group having used an individual as a “driver” and a “bag carrier” to deliver “illicit cash” to Putin would be understood to allege criminal behaviour (and therefore was sensitive personal data).
The debate as to the meaning of “illicit cash” was particularly reminiscent of the meaning arguments in a defamation trial. Of particular bad luck for Orbis was the publication of a news article read by the judge whilst preparing his judgment, which apparently described HMRC’s powers to crack down on “illicit finance”, which he cited as evidence that “illicit” would be read as meaning illegal rather than just secret. Even more unfortunately for Orbis, the judge stopped short of relying on all aspects of defamation meaning tests – he decided not to oblige the Claimants to identify a specific criminal offence that they alleged was implied by the wording, a requirement in slander cases that establishes, in effect, a threshold of seriousness which apparently does not apply in data protection cases.
3) Exemptions defined broadly, but are not blanket excuses
Orbis relied upon the legal purposes and the national security exemptions in the DPA to disavow any obligations under the First and Fourth Principles. It had some, but not total, success with this argument.
It prevailed in establishing that the legal purposes exemption should be available in the circumstances. Mr Justice Warby took an expansive view of the concept of “establishing legal rights” and did not accept an argument made by the Claimants that the seeking of legal advice had to be the dominant purpose where multiple purposes existed. He also emphasised that it was not necessary for the data controller (i.e. Orbis) to be the intended recipient of legal advice – it suffices that Orbis was disclosing information to a lawyer who would then provide advice to a third party.
This interpretation has shades of the tests applicable in establishing litigation privilege, avoiding drawing the lines too narrowly as to who can be involved in the chain of obtaining legal advice and what that amounts to, provided it is a genuine purpose of one of the parties.
Similarly, the judge was happy to accept that a disclosure of personal data might be justified if “reasonably necessary” for national security reasons and accepted Orbis’ arguments that exemption should apply in this case (largely based on the close link between the UK and US security interests which helped to justify Orbis’ disclosure to individuals/agencies on both sides of the pond). However, he did not see fit to apply the exemption to all controller obligations under the DPA unless such exemption was shown to be “essential” for national security, and was similarly restrictive in his application of the legal purposes exemption.
4) Keep things accurate, or at least try to
Consequently, the judgment is clear that neither exemption relied upon excused Orbis from its obligations under the First Principle (save for the requirement to give notice of the disclosures) or the Fourth Principle. It goes on to identify that compliance with the Fourth Principle will, where inaccuracy is at issue, turn upon the Defendant’s ability to demonstrate that it took reasonable steps to verify the accuracy of personal data – and that what amounts to reasonable steps is highly dependent upon the seriousness of the allegation comprising such data.
In the circumstances, Orbis was held to have made reasonable steps to verify 4 of the 5 statements complained of but, in relation to the “illicit cash” allegation, the gravity of this “called for closer attention, a more enquiring approach, and more energetic checking” .
Key factors in Orbis’ failure to meet this standard were the fact that Mr Steele would have been aware that his source for the allegation did not have direct personal knowledge of the underlying facts but was relying on hearsay and that his source was unable to explain how his sub-source came to be in possession of the relevant information.
Mr Justice Warby suggested that evidence of further interrogation of the source and in turn the sub-source would have been required to meet the “reasonable steps” threshold, rather than a single internet search described by Mr Steele which was held to be “unimpressive”. The takeaway here, then, is to only commit particularly defamatory statements to paper if you have taken (and recorded) all efforts to establish their veracity; and if you haven’t, then be prepared to put your money where your mouth is if you subsequently end up in court.
For further disputes related know how please visit Disputes+, Bird & Bird’s disputes knowledge portal.