Damages in Misuse of Private Information Claims

July 4, 2025

Damages in Misuse of Private Information Claims: Legal Principles and Evolution

The law surrounding damages in misuse of private information claims has developed significantly over the past two decades. From modest awards in early cases like Douglas v Hello! and Campbell v MGN, the courts have moved towards a more robust framework recognising both emotional harm and the loss of control over private data. Landmark decisions such as Mosley v NGN, Gulati v MGN Ltd and Richard v BBC have transformed the quantum of privacy damages, with awards now frequently reaching into six figures in serious cases. This article examines the legal principles, key case law, and practical considerations that shape compensation in privacy litigation, including the role of aggravated damages, proportionality, and the claimant’s vulnerability.

Historically, damages awards in privacy cases were relatively modest. Early decisions like Douglas v Hello! Ltd (No. 3) [2005] EWCA Civ 595 and Campbell v MGN [2004] UKHL 22 set the stage, with courts often aligning privacy awards with the relatively low levels of damages seen in European human rights cases. For example, Michael Douglas and Catherine Zeta-Jones received only £14,600 in damages for the distress caused by unauthorised wedding photos published in Hello! Magazine, a sum reflecting injury to feelings rather than any notional licence fee for the images. English courts at that time eschewed US-style punitive or commercially-driven awards; damages were viewed purely compensatory, aimed at the hurt feelings and loss of dignity caused by the invasion. Exemplary damages were deemed unavailable in privacy claims, keeping awards relatively low and in line with personal injury analogies.

A turning point came in 2008 with Mosley v News Group Newspapers [2008] EWHC 1777 (QB). Max Mosley, who was secretly filmed engaging in private sexual activity that was then exposed by a tabloid, was awarded £60,000, unprecedented at the time for a privacy breach. Mr Justice Eady’s judgment in Mosley outlined key principles that would inform future cases: privacy damages should compensate for distress, hurt feelings, and loss of dignity, and also serve a vindicatory purpose marking the wrongfulness of the intrusion (without double-counting). He emphasised proportionality, noting that awards should bear a reasonable relationship to personal injury and defamation awards, and he considered £60k appropriate for what he called a “life-changing” violation of privacy.

By the early 2010s, privacy claimants were pushing for more robust compensation. In Cooper v Turrell [2011] EWHC 3269 (QB), where private medical information was maliciously spread, the judge indicated £40,000 would have been justified for privacy alone (though part of the award was for libel). Similarly in Spelman v Express Newspapers [2012] EWHC 355 (QB), concerning a newspaper’s plan to publish a story about a politician’s teenage son, the court observed that if damages are to be an effective remedy they cannot be too low. Modest awards (e.g. £10,000 total for Paul Weller’s children in Weller v Associated Newspapers [2014] EWHC 1163 (QB) over published photos) were still common for routine breaches, but the stage was set for a major recalibration. The culmination of this evolution was the Gulati v MGN Ltd [2015] EWHC 1482 (Ch) phone-hacking case, which raised the ceiling of privacy damages and expanded the principles governing compensation.

Early Case Law 

In the early 2000s, before Gulati, privacy claims were often pursued as breaches of confidence due to the lack of a stand-alone privacy tort. After Campbell (2004) confirmed misuse of private information as a tort, courts grappled with how to measure damages. The prevailing approach limited recovery to the mental distress or humiliation suffered by the claimant, with only nominal sums if no distress could be shown. Thus, pre-Gulati privacy awards were generally conservative. The Douglas v Hello! case in 2003–2005, involving surreptitious wedding photographs, exemplified this: the Court of Appeal rejected the idea of a “licence fee” measure for the lost commercial value of the photos, insisting the claimants’ damages be anchored in their distress and loss of privacy, not in speculative economic value. This kept the award to the Douglases relatively low (under £15k), reinforcing that English privacy law was focused on compensation for personal hurt, not unjust enrichment or punishment.

The first indications that courts might depart from purely nominal damages came with cases like McKennitt v Ash [2006] EWCA Civ 1714 (where a small sum was awarded for a breach involving private diary information) and then Mosley in 2008 which, awarded £60,000. Mr. Justice Eady in Mosley established some principles:

Heads of Damage:

Claimants can recover for the distress, hurt feelings, humiliation, and loss of dignity caused by the misuse. An award can also vindicate the infringed right, but if a substantial sum is given for distress, courts avoid adding a separate sum purely for vindication so as not to double-compensate.

Proportionality:

Awards should be proportionate and not arbitrary. Courts may cross-check privacy awards against personal injury and defamation ranges to maintain coherence. At the time, the top general damages for serious personal injury was around £220,000, and libel awards were calibrated with that in mind. A privacy award, Eady J suggested, should not vastly exceed what a very serious physical injury might attract.

Aggravating Factors:

Courts can increase damages for aggravation if the manner of the breach or the defendant’s conduct worsened the injury. Conversely, a claimant’s own conduct might mitigate the award (for example, if they had themselves courted publicity or previously revealed the information). However, damages in privacy are not punitive, an uplift must reflect additional hurt, not serve as a fine on the defendant.

Limits of Compensation:

Acknowledging that money is a poor substitute for lost privacy, the task was to choose a figure that marks the wrong and offers solace without being excessive or trivial. In Mosley, £60k was deemed neither excessive (given the life-changing harm and blatant intrusion) nor a windfall.

Gulati v MGN Ltd (2015)

Gulati v MGN Ltd [2015] EWHC 1482 (Ch) was a group litigation arising from the Daily Mirror phone-hacking scandal. A number of public figures (actors, athletes, etc.) sued Mirror Group Newspapers for systematically hacking their voicemails over many years and using private information gleaned to publish stories. The scale of intrusion was unprecedented, and the case squarely raised a novel issue: Are damages in misuse of private information limited to emotional distress, or can they also compensate for the very fact of the intrusion (loss of control over private information)?

Mr. Justice Mann delivered a judgment. He held that English law does permit compensation for the infringement of privacy itself, in addition to any distress caused. This meant that even if a claimant wasn’t aware of the intrusion at the time (and thus didn’t suffer immediate distress), the loss of autonomy and control over one’s personal information is a real harm that merits damages. This was a break from the earlier approach that looked mainly for injury to feelings. Mann J reasoned that past awards had been too low and failed to reflect the seriousness of privacy invasions in the modern era.

Importantly, Mann J also rejected the idea of a single global award per claimant if multiple wrongs were done. MGN had argued each claimant should get one lump sum for overall distress, but the judge found that in cases of systematic, repeated intrusions (like dozens of phone hacks and resulting articles), a single sum would not adequately reflect the distinct violations. He opted to give separate component awards for different categories of wrongdoing (e.g. voicemail interceptions, each published article, etc.), then summed them up per claimant, while ensuring the total for each person remained proportionate and not excessive. This flexible approach ensured full compensation for all aspects of harm without double-counting.

The results were unprecedented: eight representative claimants received sums ranging from about £72,500 up to £260,250. For example, actor Sadie Frost received the highest total (£260,250), reflecting roughly four-and-a-half years of frequent hacking and numerous private stories published. Others, like Paul Gascoigne (£188k) and Shane Richie (£155k), also received six-figure totals. These awards far outstripped any previous privacy damages, firmly establishing that English courts will award amounts on par with serious personal injury or defamation cases.

MGN appealed, arguing the awards were excessive and wrong in principle. The Court of Appeal (Arden LJ) unanimously upheld Mann J’s decision in MGN v Representative Claimants [2015] EWCA Civ 1291. Several key points were confirmed:

Not Limited to Distress:

The Court of Appeal affirmed that general damages in privacy claims are not confined to distress alone. Compensation can be awarded for the invasion of the right to privacy itself ,i.e. the loss of control over private information. This cemented the principle that the law protects not just the consequences of a privacy breach but the fact of the breach itself.

Global vs. Itemised Awards:

It was held that judges have discretion to decide whether to award a single lump sum or break down the award by components. Arden LJ noted there is no rigid rule; in complex scenarios with multiple intrusions (like phone hacking over years), it may be appropriate to itemise damages for each act, whereas a one-off misuse might only need a single figure. The guiding principle is what best achieves fair compensation in the case at hand.

Quantum :

The appeal court did not find the sums manifestly excessive given the extraordinary facts. In fact, Arden LJ approved of Mann J’s methodology and signalled that future cases should take guidance from it. She acknowledged that English privacy law had now departed from the modest Strasbourg (European Court of Human Rights) awards, justifying a separate path due to the greater emphasis on personal autonomy in domestic law. In other words, English courts were not bound to keep privacy damages low just because the ECHR typically awards only a few thousand euros for distress.
Perhaps most usefully, the Court of Appeal endorsed a set of factors Mann J outlined  for assessing the seriousness of a privacy breach. Arden LJ adopted these as a template for future cases. They included considerations such as the nature of the information, the effect on the claimant, and the scope of publication.

Distress vs. Loss of Autonomy: 

One of the most significant legal developments confirmed by Gulati is that damages for misuse of private information compensate two distinct aspects of harm:

Distress / Emotional Harm: Almost all privacy breaches, once discovered, cause the individual some degree of mental anguish, whether shock, humiliation, anger, or ongoing anxiety. This injury to feelings has always been recognised in privacy (and before that, breach of confidence) awards. It remains a core component of damages.

Loss of Privacy / Autonomy itself: Separately, the infringement of the right to control one’s personal information is in itself a harm, even if no particular distress can be shown at the time. This refers to the affront and loss of autonomy suffered when one’s private life is intruded upon without consent.

Prior to Gulati, many assumed that without demonstrable distress (for example, if the claimant never learned of the violation until much later), only nominal damages would be available. Gulati swept away that notion, it made clear that the tort of misuse of private information is actionable per se (like libel), meaning the act of violating privacy is itself compensable even if emotional harm isn’t immediately evident. As Mann J put it, once there is a wrongful misuse of private information, the victim has lost something of value, their right to keep that information private and the law should acknowledge that loss.

Role of Aggravated Damages

English courts do not award punitive damages in privacy cases, but they can award aggravated damages to reflect particularly hurtful or outrageous conduct by the defendant. Aggravated damages are still compensatory in nature, they aim to compensate the claimant for additional distress or injury to feelings caused by the manner or motives of the intrusion, beyond the inherent harm of the privacy breach itself. The principles here mirror those in defamation: if the defendant’s conduct has been especially high-handed, insulting, or malicious, it may aggravate the claimant’s hurt and thus warrant a higher award.

Many of the high-profile privacy cases in recent years have included an aggravated component. For example:

Sir Cliff Richard v BBC (2018): Of Sir Cliff’s £210k award, £20,000 was expressly identified as aggravated damages. The BBC not only filmed a police raid on his home but later submitted that footage for a journalism award and publicly touted its scoop. This post-intrusion conduct, showing a lack of remorse and even pride in the invasive broadcast was found to intensify Sir Cliff’s distress and indignity, justifying an uplift.

Sicri v Associated Newspapers (2020): Warby J folded an aggravated element into the general damages (which were £50k) for Mr. Sicri. The Daily Mail’s publication had a sensationalist, arguably reckless tone (implying a terrorism suspect angle) and the newspaper’s conduct (including how it fought the case) likely exacerbated Sicri’s suffering. Though the judge didn’t itemise it, part of the £50k was to account for this aggravated hurt.

Bull v Desporte (2019): In a case involving a kiss-and-tell e-book by an ex-partner, the total award was £12,500, of which £2,500 was expressly for aggravated damages. The defendant’s boastful betrayal (publishing intimate sexual details to brag and hurt Mr. Bull) warranted the small uplift, as it increased the humiliation.

JQL v NTP (2020): The £15,000 awarded to a teenage girl (JQL) included an aggravated element. Her uncle’s conduct sharing her private mental health struggles on Facebook, was grossly insensitive and a betrayal of family trust, which the judge found particularly hurtful. Even if the uncle’s motive was not outright malice, the cavalier disregard for his niece’s privacy in a family context aggravated her distress.

Bekoe v Islington (2023): Although a relatively small case (improper sharing of a resident’s financial information by a council), the court noted the council’s aggressive conduct during the litigation added to the claimant’s distress, meriting a modest aggravated component of the £6,000 award.

Aggravating factors can include a malicious motive, deliberate exposure of particularly sensitive information for profit or revenge, lack of apology or attempts to justify the intrusion, or the defendant behaving oppressively during litigation (as seen in Bekoe). Conversely, if a defendant has shown contrition or taken steps to mitigate harm, the absence of aggravation might keep damages lower.

Factors Influencing Quantum of Damages

Nature and Sensitivity of the Information:

How private or sensitive is the information that was misused? Highly sensitive content, e.g. medical records, mental health details, intimate sexual or family matters, drives awards higher. If the information is relatively innocuous or already somewhat public, damages will be lower. For example, disclosing someone’s medical condition (like HIV status or psychiatric history) is far more serious than, say, revealing their address or a benign hobby. In Richard, being named as a suspect in a sexual offence investigation was deemed “extremely serious” and at the top end of privacy concern.

By contrast, in ST v L Primary School (2020), a letter mentioning a child’s behavioural issues, while private was shared in a contained, concerned-parent context, and viewed as less sensitive (reflected in a low award of £1,500 to the mother, £3,000 to the child). Generally, information about health, sexual life, or minors is treated as inherently private. Even financial information, though confidential, might rank slightly lower than one’s person or health, yet it can still attract notable damages if misused (e.g. a case of financial data misuse, Bekoe v Islington (2023), led to £6k damages, partly due to the privacy breach of financial records).

Extent of Publication:

How widely was the private information disseminated? The audience size and publicity matter enormously. A front-page newspaper story or something broadcast/viral on the internet causes a much greater loss of control (and usually greater humiliation or distress) than a disclosure to a handful of people. Thus, the scope of publication often scales the award. For instance, Weller (2014), a few photographs of children in one newspaper, yielded £10k total. In contrast, Sir Cliff Richard’s exposé was broadcast live to millions and became worldwide news, contributing to his £210k award.

The phone-hacking cases (Gulati) involved dozens of articles over years, hence the six-figure sums. Conversely, very limited publication tends to keep awards down: in Bull v Desporte, only 50 copies of the offending e-book were downloaded, and in JQL, a Facebook post was live for 3 hours with perhaps 20–30 viewers beyond family these relatively small audiences helped contain damages (to £12.5k and £15k respectively) despite the sensitive nature of the content. Judges explicitly consider this wider the publication, greater the harm principle; indeed, Mann J in Richard listed the scope of publication the wider, the greater the invasion and effect as a key factor.

Presentation:

The manner in which private information is presented can aggravate the harm. A sensationalist or salacious presentation can heighten the claimant’s distress and reputational damage, whereas a sober, minimal disclosure (while still a breach) might be less injurious. In Richard, the BBC’s use of helicopter footage and breathless rolling news coverage of the police raid amplified Sir Cliff’s humiliation, it wasn’t just that they reported the fact of the investigation, but the way they did it was intrusive and prurient. By comparison, had it been a short factual news blurb, the damage, though still significant, might have been a bit less. Similarly, Warby J in Sicri observed that the MailOnline article not only named Mr. Sicri (when others didn’t) but did so in a sensational manner that suggested guilt by association, thus aggravating the impact. Courts will ask: was the publication unnecessarily graphic, prolonged, or tilted to maximise embarrassment? If so, damages may be higher.

Motive:

While the defendant’s motive is primarily relevant to liability (e.g. whether there was a public interest justification), it can also influence damages. An altruistic or inadvertent breach might be viewed more leniently than a breach done out of malice, profit, or revenge. For example, the school in ST v L Primary School arguably had a well-meaning if misguided motive (trying to reassure parents) and that context contributed to modest damages. In contrast, a malicious tell-all or revenge porn scenario (Bull v Desporte’s boastful betrayal, or FGX v Gaunt where an ex deliberately uploaded intimate videos out of spite) involves a cruel intent that typically exacerbates the victim’s hurt. Malicious or profiteering motives often manifest in an aggravated damages uplift, as discussed above. Essentially, if the invasion was done in bad faith or for sensational gain, courts treat it as more serious.

Duration and Repetition:

A one-off breach might cause a sharp, singular harm, whereas repeated or continuous intrusions can have a cumulative, compounding effect. Being under a sustained privacy siege like daily phone hacks or a series of articles tends to increase damages because each act renews the injury and can lead to long-term trauma. Mann J in Gulati noted how years of intrusion led some claimants to paranoia and a profound loss of trust. However, courts are also mindful that after a certain point the damage might plateau: once something extremely private is widely exposed, additional publications might not double the hurt. Generally, though, multiple intrusions are treated as aggravating they show a pattern of violation that warrants a higher cumulative award. The timeline of the wrong e.g. a secret camera operating over months, or multiple leaks will be accounted for in quantum.

Claimant’s Profile and Vulnerability:

The personal characteristics and circumstances of the claimant can affect both the extent of harm and how the court values it. A key question is: what effect did this breach have on this particular person? For example, public figures might suffer broader reputational fallout from a privacy breach, but they could also be somewhat inured to media attention. The claimant’s age, health, and prior experiences also play a role. If someone has a pre-existing vulnerability, say, mental health issues or past trauma, an intrusion might hit them harder, and the law compensates them for that full impact. For instance, Paul Gascoigne’s fragile recovery from alcoholism was derailed by phone-hacking, worsening his relapse, his award reflected that extra impact. JQL, the teenage girl, already struggled with mental health issues; her uncle’s betrayal intensified her distress far beyond what a more resilient person might have suffered from a brief Facebook post. The judge in that case effectively took her as he found her severely hurt, so £15k was warranted.

Importantly, there is a baseline objective test in privacy: the information must be such that a reasonable person would expect privacy. Once that threshold is crossed, the claimant’s subjective reaction if reasonable and causally linked can determine the level of damages.

The egg-shell skull rule, holds that a defendant must take their victim as they find them, even if the victim is unusually vulnerable. In the context of misuse of private information, this principle confirms that once a privacy breach is established, the defendant is liable for the full extent of the emotional and psychological harm caused to the particular claimant, even if another person might have been less affected by the same intrusion.

We have seen this play out in several cases:

In Gulati, the different reactions of claimants influenced their individual awards. For example, Paul Gascoigne’s personal fragility meant the sustained hacking had a devastating effect on him contributing to a relapse in alcoholism, so his damages were substantial, nearly £190k. Someone with a thicker skin might not have suffered to that degree, but that’s irrelevant in law, Gascoigne was compensated for what he actually endured.

In genuine cases of vulnerable claimants, though, courts have not hesitated to award higher sums:

Sicri (2020): Mr. Sicri’s background as an innocent person publicly linked to terrorism meant he suffered severe anxiety, health issues, and social ostracism. Warby J treated those consequences as fully compensable, resulting in a large general damages award of £50k (plus special damages).

AXB (2023): An 18-year-old patient secretly filmed by her doctor suffered PTSD, and even though the footage wasn’t shared widely, her particular sense of violation and lasting anxiety warranted a total of £51k (£38k general, £13k special).

Once a reasonable expectation of privacy is breached, the defendant bears the risk of however badly the claimant takes it, provided the reaction is sincerely attributable to the intrusion.

Claimant Conduct

While courts strive to compensate claimants generously for privacy infringements, they also consider whether the claimant’s own conduct should temper the award. Two scenarios in which claimant conduct can limit damages are: (1) where the claimant themselves has exposed the information or courted publicity, and (2) where the claimant’s reaction to the breach is so unusual or self-inflicted that some losses are deemed too remote.

Self-Publication or Previous Disclosure: If a claimant has previously made certain private facts public or semi-public, a defendant’s subsequent disclosure causes less additional harm. The classic example is Burrell v Clifford (2016), where Princess Diana’s former butler sued over disclosures of private information that, crucially, he had already revealed in his memoirs. The court found that Mr. Burrell could not convincingly claim serious distress from information being aired by someone else when he had willingly put much of it out there himself.

Consent:

Relatedly, where a claimant has consented to some publication of the information or given an interview, etc., they may not be able to claim the same level of distress if that information appears elsewhere. The law asks: how truly private was this to the claimant? If they treated it as not very private, damages will reflect that.

Unreasonable Reactions and Remoteness:

The egg-shell skull rule has its limits if a claimant’s reaction is so unreasonable that it lies outside what the defendant could fairly be accountable for. While genuine psychological vulnerability is honoured, a claimant cannot manufacture or exaggerate harm for a higher payout. Judges will scrutinise the evidence of distress and its causes. For example, if a claimant refused any opportunity to mitigate the harm (perhaps by enjoining a publication or removing content) and instead let the situation worsen, a court might view some subsequent distress as avoidable and not fully chargeable to the defendant. Also, any evidence of pre-existing issues that would have caused the claimant’s condition regardless of the breach could limit damages by the usual principles of causation.

Conclusion

It is now firmly established that loss of privacy, the infringement of one’s autonomy and dignity is a head of damage in its own right. Claimants need not prove a psychiatric injury or clinical level of distress to recover meaningful damages. The very fact of a serious intrusion, even absent immediate harm, is compensable. Awards in the most serious cases e.g. prolonged media campaigns, egregious betrayals, or severe psychological harm caused have reached six figures. What was once unthinkable, a £260k privacy award  is now precedent, albeit reserved for exceptional cases. More typical substantial breaches  can attract mid-to-high five figures or low six figures, depending on impact.