On 20 February, the Court of Appeal handed down judgment in Keith Smeaton v Equifax plc [2013] EWCA Civ 108. The case concerned incorrect data held by Equifax, a leading credit reference agency, which suggested that Smeaton was a bankrupt. In fact, a bankruptcy order had been made but rescinded.
The claimant sought compensation from Equifax in respect of a range of losses that he said flowed from their error. The losses were said to arise from the failure of Mr Smeaton’s plans to set up a record company, which were said to be scuppered by the refusal by NatWest of account and loan facilities. Those refusals were in part based on the inaccurate information about Smeaton which was fed to NatWest by Equifax.
The claim began as a claim for defamation but evolved into a claim under the Data Protection Act 1998, s 13 (compensation for failure to comply with requirements) and a claim for ‘damages at large for breach of duty at common law’. After torturous proceedings, where the attempts to identify the basis of Smeaton’s claims as to very substantial losses caused great difficulties, HHJ Thornton found largely in favour of Smeaton (see [2012] EWHC 2322 (QB)). He held that:
· Equifax had breached the Data Protection Act 1998, in particular the fourth data protection principle (accuracy of data), but also the first principle (fair processing) and fifth principle (retention of personal data), on the basis that Equifax had failed to take reasonable steps to ensure the accuracy of its data;
· Equifax owed Smeaton a duty of care in tort, which was co-extensive with its duties under the Act;
· Equifax’s breaches of duty caused Smeaton loss, in that they prevented Smeaton’s record company from obtaining a loan in and after mid-2006.
Tomlinson LJ, giving the lead judgment in the Court of Appeal, clearly found it hard to follow the trial judge’s reasoning: ‘the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely’. He might have halted his judgment at that point but he acknowledged the wide implication of HHJ Thornton’s finding that a credit reference agency assumes a duty of care in tort to all whose personal data it holds and covered that issue too.
Tomlinson LJ takes a very different line to the trial judge as to the extent of any duty on a credit reference agency in the, somewhat unusual, circumstances that had arisen in Smeaton’s case. It is not current practice for rescissions of bankruptcy orders to be published (eg in the London Gazette) and the duty under the fourth data protection principle to ensure that data is accurate is not absolute but subject to the data controller taking reasonable steps. Tomlinson LJ (at [67]-[68]) characterised part of the trial judge’s view as amounting to:
‘a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. … I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.’
As to the ‘co-extensive duty of care at common law’, Tomlinson LJ said that the trial judge was in error in concluding that a credit reference agency assumes a responsibility to every member of the public simply by choosing to operate that type of business. He quoted Lord Mance’s dictum in HMRC v Barclays [2006] UKHL 28 (at [94]) that such an approach ‘is to assign to the concept of voluntary assumption of responsibility so wide a meaning as to deprive it of effective utility’.
‘(1) It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss, having regard to the practices operated by the credit industry set out in the Guide to Credit Scoring 2000. A person whose credit application was rejected because of adverse CRA data would be told of that fact and would be entitled to take steps to correct (or dispute) that data and to require the lender to reconsider the application for credit having regard to further, correcting information provided by the applicant.
(2) It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class.
(3) It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data.
(4) Apart from the DPA, Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the [Consumer Credit Act] 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory.’
In a supporting judgment, Davis LJ said (at [77]-[82]):
