2021 was a busy year for UK data litigators as courts got their teeth into some key issues in this developing area. One area of particular focus was how English law approaches the ‘minor’ or ‘inadvertent’ data breach. Such incidents can easily arise; an email copied to the wrong person, usually swiftly deleted, is a prime example. However, despite such events usually causing no tangible, financial harm to anyone involved, businesses have frequently found themselves with a headache as claims by the data subject for distress have followed.
Now that we move into 2022, we look back at some of 2021’s key cases in this area and explain why we think 2022 should bring cautious optimism for data controllers faced with these types of claims.
Narrowing the scope of data breach claims – Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)
A pattern has developed in many data breach claims where no financial harm has been suffered. A claimant seeks damages at a relatively low value for distress and anxiety caused by the breach and the claim under the Data Protection Act 2018 (“DPA”) is accompanied by claims for one or more of: misuse of private information, breach of confidence, and negligence.
By bringing a privacy claim, the claimant is able to seek to recover not only their legal costs but also the premium for any after-the-event (“ATE”) insurance policy obtained in relation to the claim. The legal costs and ATE premium dramatically exceed the realistically recoverable damages. This leaves defendants with the prospect of paying over the odds for a claim where the claimant has suffered no financial loss, or fighting litigation with the risk of mounting costs on both sides if the decision goes against them.
That was the situation facing DSG Retail Limited (“DSG”) in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) following a cyber-attack by which hackers had accessed personal data of DSG customers.
In July 2021, DSG succeeded in having the misuse of private information and breach of confidence claims struck out/summarily dismissed. The Court dismissed the claims on the basis that DSG had not taken any positive act which could constitute the necessary misuse. Whilst a ‘misuse’ of private information can be unintentional, it does require there to be a ‘use’. The negligence claim was also dismissed for lack of a separate duty of care where the DPA already imposes a statutory duty.
The result of DSG’s actions was that only Mr Warren’s claim for breach of the DPA was allowed to proceed. While the damages claimed would likely remain the same, this was far from a pyrrhic victory for DSG for two reasons.
- First, as ATE premiums cannot be recovered for DPA claims it now appears unlikely that Mr Warren will be able to recover that sum from DSG, even if he is successful. The ATE premium can be substantial in this context and well in excess of the amount claimed.
- In the absence of the other causes of action, the DPA claim was transferred from the High Court to the County Court. Given the small value of the claim, the ability for Mr Warren to recover any legal costs is also be more limited.
Whilst this decision added useful clarity for data controllers, two key questions remained:
- With some further thought, will claimant lawyers be able to find a sufficient positive act to hang their clients’ breach of confidence and misuse of private information claims on? This remains a question for 2022.
- How will breach of confidence and misuse of private information claims be treated where the data breach was inadvertent but did involve an act by the defendant? This second question is considered further in some of the cases discussed below.
For more detail on this case, see our previous blog post here.
Treating data claims appropriately – Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB)
The facts in Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) are not rare. An individual at Eastlight inadvertently emailed a third party disclosing some of the claimant’s personal data in an attachment. The third party notified Eastlight that this had happened and then confirmed that they had deleted the data. The whole situation lasted less than three hours and was the result of simple human error.
The data disclosed was not particularly sensitive, it included the claimant’s name, address and recent rent payments made. It is worth noting that the attachment which contained the personal data ran to 6,941 pages, with the claimant’s data at pages 880-882. Eastlight had reported the breach to the ICO (though did not accept that this was necessary given the circumstances), and the ICO had confirmed that no action was required or would be taken.
Whilst Eastlight might have hoped that would be the end of the matter, the claimant subsequently brought proceedings in the High Court for (1) misuse of private information; (2) breach of confidence; (3) negligence; (4) breach of article 8 of the ECHR; and (5) breach of the GDPR and DPA. Whilst the damages claimed were limited to £3,000, the Claimant had incurred costs of £15,000, and had budgeted for further costs of just over £50,000.
The judgment considers Eastlight’s application for summary judgment of the claim on the basis that the damage suffered was below the de minimis level, or strike out on the basis that “the game is not worth the candle” (in other words, any tangible or legitimate advantage for a litigant would be minimal and disproportionate to the greater disadvantage in terms of expense and use of court resources, from the jurisdiction discussed in Jameel v Down Jones & Co Inc [2 005] QB 246). Eastlight also applied to strike out the claim in negligence, though the claim was withdrawn by the claimant at the hearing so was not considered by the Master.
In considering Eastlight’s application, the Master made a number of remarks that will be welcomed by defendants to these types of cases. In particular, the Master concluded that the breach of confidence and misuse of private information claims did not add anything useful or independent to the claim arising for breach of the GDPR. These claims were therefore struck out on the basis that they would take up disproportionate and unreasonable court time and costs.
This decision resulted in another case which started off alleging multiple causes of action being allowed to proceed only on the more limited ground of breach of data protection legislation. Multiple claims having been being dispensed with, the Master determined that the claim could be appropriately progressed in the County Court, including making the useful comment that “Everything about this case has all of the hallmarks of a Small Claim Track claim” – with the corresponding limitation on costs recovery.
The Master hearing this case was clearly unimpressed with the approach taken by the Claimant (and the firm representing her) and the costs that had been incurred and budgeted. This case provides a clear warning to firms engaged in bringing similar claims, and gives some further comfort to businesses being put in this unenviable position.
Keeping the case on (the small claims) track – Ashley v Amplifon Limited [2021] EWHC 2921
A further 2021 decision has demonstrated that, even where ancillary claims of breach of confidence and misuse of private information are allowed to continue in small data breach claims, the small claims track in the County Court can still be the appropriate forum.
Ashley v Amplifon Limited [2021] EWHC 2921 involved another instance of personal data being inadvertently sent to a third party by email, and a strike out being argued on grounds similar to those in Eastlight.
Whilst the claims (including the ancillary causes of action) were allowed to continue in this instance, the case was again transferred from the High Court to the County Court, with the Judge noting that the suitable track to litigate the claim was “probably the small claims track”.
This case gives a further indication that the Courts will continue to discourage the making of overly-complex claims and will not permit them being brought in the wrong Court division simply for the benefit of improved costs recovery.
Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)
In at least one instance in 2021, the High Court has been prepared to go even further than simply transferring these claims to the County Court. In Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) the Master granted summary judgment in favour of the Defendant on all causes of action alleged, and awarded the Defendant its costs on the indemnity basis. The decision sends a strong note of warning to anyone continuing to bring these claims in the High Court.
The case again related to a single email sent to the wrong person, containing name and address information, together with some information on school fees (though the level of fees was public information) and an indication that some fees were outstanding. The email was promptly deleted by the third party when the error was identified. This small data incident resulted in claims for damages for misuse of confidential information, breach of confidence, negligence, and under the GDPR and DPA, plus requests for declarations and an injunction to prevent further breaches. An application was made to strike out the claim on the basis that the distress said to have been suffered did not met the de minimis threshold to enable a claim.
Master McCloud’s conclusion that summary judgment should be granted on the entirety of the claim is worth repeating in full:
“12. What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.
13. There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.”
Such a strong indication from an experienced Master provides helpful clarity. We expect to see this reasoning regularly relied on by data controllers who are seeking to push back on minor data breach claims.
How much is distress worth?
There have been a trickle of decisions on damages for distress under the DPA (and the earlier 1998 Act), but they are relatively few and far between. They are also frequently confined to their own facts, making it harder to quantify with any certainty what an appropriate settlement value for a claim might be.
We may well get some further guidance on this point in 2022 from a case which spawned a lot of (misleading) headlines in 2021, Fairhurst v Woodard (Case No: G00MK161) (12 October 2021). This case concerned the use of security cameras and video doorbells in the domestic setting.
In overview, on the specific facts of this case, the defendant’s cameras were found to have captured parts of the claimant on her property, and the defendant’s legitimate interest in recording footage from those cameras for crime prevention was outweighed by the claimant’s right to privacy. As such, the Court held that there had been breach of the DPA.
Whilst this is a County Court decision and so its findings are not binding on higher courts, they do form useful guidance. The Court left open in its judgment the question of remedies and (so far as we are aware at the time of writing) the assessment of damages in this case has not yet been publicised. This and the other cases referenced above which are continuing, may all help form a clearer picture of what appropriate damages for these types of data breaches may be.
So what next for 2022?
Although 2021 brought a number of helpful decisions for defendants in these minor data breach cases, it remains possible that, having taken the weaknesses of their previous approach into account, claimant lawyers will revise their approach in a way which will enable claimants’ cases to survive summary judgment/strike out and transfer applications such as those referred to above.
That said, there is a clear trend of judicial authority and opinion starting to develop, which gives short shrift to attempts to take advantage of the court rules and over-complicate claims for the sake of costs recovery.
Overall, therefore, data controllers faced with these types of minor data breach claims can feel themselves in a more robust position than had previously been the case as we enter 2022.