It is well known that, under the UK GDPR and Data Protection Act 2018 (“DPA 2018”), data subjects can enforce their data protection rights against data controllers directly in the courts and seek compensation for breaches of those rights.
Continue Reading Orders to Progress Complaints – No Backdoor Appeal Process For ICO Decisions
Victoria Leigh
English Courts’ Stance on Low-Value Data Breach Claims Continues to Harden, But There May be Hiccups Along the Way
Over the last couple of years, the High Court has been sceptical of low-value compensation claims for minor data breaches (see our previous articles here and here). Such scepticism is illustrated by the High Court:
- criticising the “kitchen sink” approach adopted by claimants who bring overly complex claims with multiple causes of action and narrowing the scope of claims by dismissing misuse of private information and breach of confidence claims as in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) and William Stadler v Currys Group Limited [2022] EWHC 160 (QB);
- transferring straightforward, low-value data breach claims to the County Court as the most appropriate court to hear the claim as in Warren v DSG Retail Ltd, Johnson v Eastlight Community Homes Ltd, Ashley v Amplifon Limited [2021] EWHC 2921 and William Stadler v Currys Group Limited; and
- condemning data breach claims for damages when there is little to no harm or the harm claimed has no prospect of meeting the de minimis threshold for receiving damages as in Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB).
A recently published case in England and the Opinion of EU Advocate General, Campos Sanchez-Bordona, on UI v Österreichische Post AG in October 2022 have given further support to the approach of the High Court, although the traffic has not been all one way as the High Court decision in Driver v Crown Prosecution Service [2022] EWCH 2500 (KB) departed slightly from this emerging line of judicial thinking.
We take a closer look at these three cases below and provide you with some key takeaways.Continue Reading English Courts’ Stance on Low-Value Data Breach Claims Continues to Harden, But There May be Hiccups Along the Way
Two More Nails in the Coffin for Opportunistic Data Breach Claims
Following on from a string of cases in 2021 concerning minor data breaches (see our earlier article here), two further cases in Q1 of 2022 have continued the trend of High Court scepticism. Such compensation claims, usually involving multiple causes of action, often find themselves trimmed down and sent to the County Court, if…
Google LLC v Lloyd – Major Representative Action Denied
On 10 November 2021, the UK Supreme Court unanimously rejected Mr Richard Lloyd’s attempt to bring representative proceedings against Google. Styled by the Court of Appeal as a champion of consumer protection, Mr Lloyd sought damages for approximately 4 million Apple IPhone users under section 13 of the Data Protection Act 1998 (“the DPA 1998”) after the unlawful processing of their data. He had suggested uniform damages at £750 per user which would have landed Google with a bill for £3 billion.
Continue Reading Google LLC v Lloyd – Major Representative Action Denied
The Inadvertent Data Breach – What Do These Claims Look Like in 2022?
2021 was a busy year for UK data litigators as courts got their teeth into some key issues in this developing area. One area of particular focus was how English law approaches the ‘minor’ or ‘inadvertent’ data breach. Such incidents can easily arise; an email copied to the wrong person, usually swiftly deleted, is a…
Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd
Over the past few years, there has been an increasing number of claims against businesses and public bodies for distress caused by data breaches. The pattern is, by now, a familiar one. A claimant will make a claim for breach of data protection legislation, seeking damages at a relatively low value for the distress and anxiety they say has been caused by the data breach. This claim will be accompanied by claims for one or more of: misuse of private information, breach of confidence and negligence. Added on to the damages claimed will be the legal costs of the claimant’s lawyers, together with the after-the-event (“ATE”) insurance premium for the policy the claimant will have procured to bring a privacy claim. As a result, the defendant is faced with a difficult decision – pay over the odds for a claim where the claimant has suffered no financial loss, or fight litigation with the risk of mounting costs on both sides if the decision goes against them.
Following a cyber-attack in 2017 and 2018, this is the situation that faced DSG Retail Limited (“DSG”), and which has led to an important judgment for these data breach claims, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB).
Continue Reading Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd
UK Ministry of Justice Announces Changes Regarding Privacy and Data Protection Claims
This summer the ICO has issued significant fines in relation to high profile data breaches since acquiring its new “GDPR charged” powers. With less publicity, but nonetheless important given the increasing awareness of the rights of data subjects to claim damages for breaches of data protection legislation, the Ministry of Justice has recently announced that there are going to be some changes to the Civil Procedure Rules (“CPR”) from 1 October 2019 onwards as regards privacy and data protection claims. Court Rules dealing with defamation cases (CPR Part 53 and the related pre-action protocol) will be amended such that they will also become applicable to any case that includes a claim for misuse of private information, data protection or harassment by publication.
Continue Reading UK Ministry of Justice Announces Changes Regarding Privacy and Data Protection Claims