President Donald J. Trump v Orbis Business Intelligence Limited [2024] EWHC 173 (KB)
In June 2016, Orbis Business Intelligence Limited (Orbis), an English company specialising in strategic intelligence and investigative services, was engaged by a US consultancy on behalf of a US law firm. The objective was to gather intelligence on any Russian efforts to influence the 2016 US Presidential election and any links between Russia and Donald Trump. Orbis produced 16 pre-election memoranda, including two that were central to these proceedings.
Christopher Steele, Director of the Defendant, provided the two memoranda to the FBI in July and September 2016. Memorandum 2016/080 alleged that the Claimant had engaged in compromising sexual behavior in Moscow, which could be used by Russian authorities for blackmail. Memorandum 2016/113 alleged that the Claimant paid bribes to Russian officials and participated in illicit activities in St. Petersburg.
In November 2016, Steele disclosed the memoranda to a former US Deputy Secretary of State, a UK national security official, and David Kramer, an aide to Senator John McCain. The Claimant claimed they first became aware of the dossier’s existence in January 2018, during the transition period following their election, when FBI Director James Comey informed them. BuzzFeed published the dossier, including the relevant memoranda, in January 2017 after Kramer provided access to it. In previous litigation, it was held that the Defendant was not responsible for the publication by BuzzFeed.
In October 2022, the Claimant issued a protective Claim Form against the Defendant and Steele, alleging breaches of Article 5(1)(d) of the UK General Data Protection Regulation (UK GDPR) due to the processing of inaccurate personal data. They sought compensation under Article 82 UK GDPR and sections 168 and 169 of the Data Protection Act 1998 (DPA 1998), as well as orders for rectification or erasure under Articles 16 and 17 UK GDPR.
In December 2022, the defendants responded, stating that only the Defendant, not Steele, was a data controller of the Claimant’s personal data. They argued that the data had been processed fairly, lawfully, and accurately at the relevant time and that the claim was time-barred as the DPA 2018 and UK GDPR came into force on May 25, 2018, long after they had ceased processing the data.
In February 2023, the Claimant sought to amend the claim to include an action under the DPA 1998. The amendment application was submitted in April 2023, and the defendant filed a strike-out application in May 2023.
Judge’s Decision and Reasoning
The court applied a four-stage test in considering Civil Procedure Rule (CPR) 17.4:
Limitation Period: The court rejected the defendant’s argument that the limitation period should be one year, holding that the limitation period for data protection claims is six years.
New Cause of Action: The court found that the proposed amendments sought to add a new cause of action under a different statutory regime.
Same Facts: The court determined that the new cause of action did not arise out of the same or substantially the same facts as the existing claim.
Discretion: As the answer to the third stage was negative, the court did not exercise its discretion to allow the amendment.
The court rejected the amendment application and granted the defendant’s strike-out application. The court found that the Claimant did not have reasonable grounds for claiming or a real prospect of obtaining the remedies sought. The court also concluded that the mere retention and storage of the memoranda by the Defendant did not cause the Claimant any distress.
Mrs. Justice Steyn DBE provided detailed reasoning for her decision:
Limitation Period: The judge held that the limitation period for data protection claims is six years, rejecting the defendant’s argument for a one-year limitation period based on previous cases.
New Cause of Action: The judge found that the proposed amendments sought to add a new cause of action under the DPA 1998, which is a different statutory regime from the UK GDPR and DPA 2018.
Same Facts: The judge determined that the new cause of action did not arise out of the same or substantially the same facts as the existing claim. Although the claims were based on the same memoranda and the complaint of inaccuracy was identical, the preparation and dissemination aspects could only be brought under the DPA 1998 regime and not the DPA 2018/UK GDPR regime.
Discretion: As the answer to the third stage was negative, the judge did not exercise discretion to allow the amendment. The judge also noted that the preparation and dissemination aspects of the claim were outside the limitation period and there was no explanation for the delay.
The judge also addressed the strike-out application:
Reputational Harm: The claim for damages for reputational harm allegedly arising through the dissemination of the dossier was only maintainable if the amendment application was successful, and so this aspect was struck out.
Remaining Claim: The judge found that the Claimant did not have reasonable grounds for claiming or a real prospect of obtaining either of the remedies sought – namely compensation or a compliance order. The judge concluded that the mere retention and storage of the memoranda by the Defendant did not cause the Claimant any distress.
Nominal Damages: The judge held that the Claimant’s alternative contention – that they were entitled to nominal damages if they established the inaccuracy of the personal data – was contrary to the Supreme Court’s decision in Lloyd v Google LLC UKSC 50, which held that there was no entitlement to compensation based solely on proof of a non-trivial contravention of a requirement of the Act in relation to any personal data of which the claimant was the subject.
The court also gave summary judgment on the compliance order and concluded that the Claimant was seeking court findings to vindicate their reputation in circumstances where they had not been able to formulate any viable remedy which they would have a real prospect of obtaining.