Who will rid me of these troublesome data protection claims? Defending data protection litigation

26 Nov 2021

Information Law

An email sent to the wrong recipient. A letter sent to the wrong address. A laptop stolen from a car. All data protection breaches – but how could they possibly justify thousands of pounds in damages, a multi-track High Court trial and legal costs well in excess of the value of the claim?

Judging by the number of instructions received by members of our Information Law team, data controllers are being overwhelmed by opportunistic data protection claims for inflated amounts of compensation.

However, in three judgments handed down in recent months, the High Court has offered helpful guidance for data controllers dealing with this growing area of litigation. What lessons do they hold?

Rolfe and others v Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB)

The facts of this case are a classic of the genre: an accidental one-off incident where an email address was mistyped and sent to an incorrect recipient. The defendant law firm, representing a school/educational trust, inadvertently sent a single email to a third party rather than the intended recipients, i.e., the claimants who had owed a sum of school fees. The claimants’ names, address and account of school fees was disclosed. The actual recipient responded promptly indicating they thought the email was not intended for them. The defendants replied promptly asking that the message be deleted. The recipient confirmed they had done so.

The claimants brought claims for damages in an unspecified amount, a declaration, and an injunction on the basis of misuse of private information, breach of confidence, common law negligence, damages under section 82 of the GDPR and section 169 of the Data Protection Act 2018.

The defendants applied for summary judgment. Master McCloud granted summary judgment for the defendants and dismissed the case with costs.

The key points to take from the judgment include:

  • The damage and/or distress caused, if any, was so low as not to satisfy the de minimis threshold implicit in the case law (specific reference was made to Lloyd v Google [2020] QB 747 and Campbell v MGN [2004] 2 AC 457). [5]-[7]

  • Where a claim is exaggerated and lacks credible evidence of distress, and the court regards the claim as speculative given its de minimis nature, an unsuccessful claimant may have to pay the defendant’s costs on an indemnity basis.

  • The question that ought to be answered when summary judgment is applied for in the context of potentially trivial breaches is this: “Given the nature of the breach and the nature of the information and the steps taken to mitigate the breach, and the material before [the judge], is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level“? [11]

  • Trivial breaches should be dismissed with costs: “In the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.” [13]

Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB)

This case also concerned the accidental sending of a single email. The housing association accidentally emailed a copy of the claimant’s rent statement to a third party who, within three hours, had notified the association of the error and deleted the data. The association apologised and reported itself to the ICO, who confirmed no further action was required. Nonetheless, a claim for an injunction, declaration and up to £3,000 in damages was issued in the High Court. The claimant’s budgeted legal costs were a little over £50,000.

The association applied to strike out and for summary judgment on the claim, on the basis that it was trivial and thus an abuse of process. However, by “a very narrow margin“, Master Thornett declined to do so and transferred the proceedings to the County Court with a clear steer that the case had “all of the hallmarks of a Small Claims Track claim“.

The key points to take from the judgment include:

  • This low-value data protection claim should never have been issued in the High Court: the certified value of the claim came nowhere near the £100,000 threshold set by CPR PD7A, para 2.1. The mere fact that it involved issues of data protection law did not elevate it to the status of a “High Court claim” for the purposes of CPR r.53.1. [24.1]
  • On the facts of this case, the question for the court was whether the Claimant should recover “purely nominal or instead extremely low damages“. Accordingly, it ought to have been issued in the County Court and allocated to the Small Claims Track. [24.4]
  • The suggestion that data protection was a “developing area of law … [or] requires elaborate and complex legal argument” was “unrealistic if not … opportunistic.” All litigation must be conducted proportionately and the County Court is more than capable of handling data protection claims. [24.5]
  • The suggestion that it would be necessary for the court to review the controller’s “organisational and internal procedures for the extent of the breach to be appreciated” was untenable. Such matters would be unknown to the claimant and “could never increase or aggravate her subjective distress or perception of loss.” [23(i)]

Warren v DSG Ltd [2021] EWHC 2168 (QB)

DSG, the retailer operating the ‘Currys PC World’ and ‘Dixons Travel’ brands had been the victim of a sophisticated cyber-attack. The claimant was a customer of Currys and claimed that his name, address, phone number, date of birth and email address had been unlawfully obtained in the attack. He claimed damages limited to £5,000.00 in respect of distress.

This claim also featured the commonly encountered combination of causes of action for data protection breaches; his claim alleged a breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence.

The defendant sought summary judgment and/or an order striking out each of these claims apart from the claim for breach of statutory duty under the DPA 1998, arguing that: the claims had no realistic prospect of success; the facts were uncontroversial; and the claims were untenable as a matter of law. The claimant argued that such claims were properly arguable and should be resolved at trial following full factual investigation. The defendant succeeded.

The key points to take from the judgment include:

  • Where the breach alleged is a failure to keep personal data secure from unauthorised third-party access, such allegation cannot amount in law to a breach of confidence or misuse of private information. Neither impose a data security duty on the holders of information (even if private or confidential); both are concerned with prohibiting positive actions by the holder of information which are inconsistent with the obligation of confidence/privacy. [22]
  • A failure to keep personal data secure is not “tantamount to publication“. As Saini J put it memorably, “If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of [misuse of private information].” [27]
  • No common law duty of care ought to be imposed where the statutory duties under the DPA 1998 (and, it ought to follow, the DPA 2018 and the (UK) GDPR) operate. The negligence claim also failed because no actionable loss (i.e., pecuniary or a clinically recognisable psychiatric illness) could be shown. [33]-[42]
  • What remained of the claim – breach of statutory duty under the then applicable DPA 1998 – was transferred to the County Court for trial. [44]

Key points for data controllers

These cases provide clear support for data controllers to take a robust position in defending low-value data protection claims.

  • Firstly, where the claim is limited to damages in the low thousands, and the personal data breach has been admitted, it belongs in the Small Claims Track – and certainly not in the High Court. There, the data controller has the benefit of substantial costs protection (including the general unavailability of Part 36 offers).

  • Secondly, where the extent of the damage is trivial, it should be summarily disposed of without the need for trial, again which has the benefit of significantly limiting costs.

  • Thirdly, parties should exercise restraint when selecting causes of action (negligence is out; multiple causes of action do not necessarily increase the final damages award) and making allegations of distress. These cases suggest the court will take a much closer look at these cases in future – and won’t hesitate to filter out opportunistic claims.

Matt Lewin and Dr Christina Lienen are members of the Cornerstone Barristers’ Information Law Team.

Cornerstone Barristers’ Information Law team will be hosting a webinar on 27 January 2022 on defending data protection litigation, offering practical guidance for data controllers on how to minimise costs and time spent on such claims. Registration is free.