There have been several key legal developments in UK data breach litigation over the past year. We take a look at those developments and take a temperature check of the data breach landscape as it currently stands.
Remedies for breach of the General Data Protection Regulation (GDPR)
Before Brexit, UK users' personal information was subject to the EU’s General Data Protection Regulation. Post-Brexit, that information is subject to the Data Protection Act 2018 (DPA 2018) which sits alongside the UK’s mirrored version of the GDPR.
In the event of a breach of the provisions of the GDPR, affected data subjects are entitled to compensation for distress. The level of compensation awarded is a developing area of law, but individual damages will rarely exceed the Country Court’s £10,000 Small Claims Track threshold, thereby limiting the amount of costs recoverable by litigants.
Possibly as a result of the costs implications, there is currently a trend of claimant law firms issuing data breach claims in the High Court (where the successful claimant is entitled to recover their legal costs from the unsuccessful party) irrespective of claim value. These claims are then allocated to the Media and Communications List of the Queen’s Bench Division. In addition to the statutory claim for breach of GDPR, it is common to see claimants plead additional causes of action including misuse of private information, breach of confidence and negligence.
High Court’s approach to GDPR claims
These 2021 decisions give us an insight into the High Court’s current attitude towards GDPR claims:
Warren v DSG Retail Ltd [30.07.2021]
The claimant claimed that, as a result of a cyber-attack to DSG’s systems in 2018, data relating to him was potentially compromised. He pursued a claim for breach of the Data Protection Act 1998 (DPA 1998) – the predecessor to the GDPR and DPA 2018, misuse of private information, breach of confidence and negligence.
The court held that neither breach of confidence nor misuse of private information impose a data security duty on the holders of information (even if private or confidential information) because the causes of action require a positive wrongful act on the defendant’s part.
It also held that there was no common law duty of care and a state of anxiety falling short of a clinically recognisable illness does not constitute damage sufficient to complete a tortious cause of action. It therefore struck out the claims for breach of confidence, misuse of private information and negligence.
Therefore, the only remaining claim was under the DPA 1998, and for this reason the case was transferred to the County Court. Read the full article on this case.
Rolfe & Ors v Veale Wasbrough Vizards LLP [07.11.2021]
The defendant accidentally sent an email intended for the first and second claimants to a third party with an identical surname. The email contained the claimants’ names, addresses, a demand for unpaid school fees, a statement of account and a reference to proposed legal action if the debt was not paid. The defendant realised its error and promptly asked the recipient to delete the message, which she did.
Despite this, the claimants brought proceedings against the defendant arguing misuse of private information, breach of confidence, negligence and breach of the GDPR and the DPA 2018. The defendant applied for summary judgment on the grounds that the circumstances of the claim could not have caused the claimants anything more than de minimis harm.
The High Court agreed and, as is clear from the judgment, Master McCloud was clearly unimpressed with the claim:
"We have a plainly exaggerated claim for time spent by the claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied. There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial".
The defendant’s application for summary judgment was granted and the case dismissed with costs. The claimants were ordered to make an interim payment of £11,000 on account of costs.
Johnson v Eastlight Community Homes Ltd [16.11.2021]
The defendant, a social housing provider, inadvertently sent the claimant’s rent statement to a third party who, when asked and within three hours of receipt, deleted it. The claimant’s personal data appeared at pages 880-882 of a document almost 7,000 pages long and it is highly unlikely that the third party recipient viewed the claimant’s data.
Nonetheless, the claimant instructed solicitors and issued proceedings in the High Court claiming damages for misuse of private information, breach of confidence, negligence, breach of Article 8 of the European Convention on Human Rights and damages pursuant to the GDPR and the DPA 2018 together with injunctive relief.
Although the claimant’s damages claim was limited to £3,000, her solicitors submitted a costs budget in excess of £50,000 which were certified as “reasonable and proportionate”.
In a stinging decision, Master Thornett held that issuing the claim in the High Court and pleading a series of overlapping (and often inadequately pleaded) causes of action amounted to a procedural abuse saying:
"No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse. […] Everything about this case has all of the hallmarks of a Small Claims Track claim that should have been issued in the County Court and so allocated. The suggestion that this is a developing area of law or where, even if principle is established, requires elaborate and complex legal argument is unrealistic if not, at least arguably, opportunistic”.
Lloyd v Google [10.11.2021]
No article discussing recent key developments in data breach litigation would be complete without mentioning the Supreme Court decision in Lloyd v Google. A more in-depth discussion of that case can be found here, but it is clear from the decision that it will be very difficult for any future litigation arising from large-scale data breaches to proceed on US-style “opt-out” class action basis.
Prior to these 2021 decisions, the claimant law firm modus operandi following a data breach incident was to encourage as many claimants as possible to sign up with them (including through the use of targeted advertising) to enter into conditional fee arrangements and after-the-event insurance policies to shield the claimant from adverse costs, and to issue proceedings in the High Court irrespective of claim value or complexity. This enabled claimant solicitors to recover their legal costs in successful actions and encouraged defendants to consider settlement, even for seemingly unmeritorious claims.
These decisions have redressed the balance between claimant and defendant interests and will no doubt give claimant law firms pause for thought in relation to the conduct of future data breach claims.
- Data breach litigation: a review of recent legal developments in the UK - Part 2
- Lloyd v Google Supreme Court ruling – a sigh of relief for data controllers
- High Court judgment considers breach of confidence and misuse of private information in data breach claim
- Potential insurance issues arising from corporate forum shopping for favourable data protection laws
- Kennedys cybersecurity and privacy (US) 2021 year in review