High Court judgment considers breach of confidence and misuse of private information in data breach claim

Warren v DSG Retail Ltd [30.07.21]

Judgment has been handed down in the case of Warren v DSG Retail Ltd, striking out the claimant’s claim for breach of confidence, misuse of private information and negligence.


This was a low-value dispute brought against DSG Retail Ltd (DSG) in respect of a cyber attack to its systems in 2018 caused by an unauthorised third party installing malware which affected potentially around 14 million data subjects.

The claimant claimed that the data relating to him (name, address, phone number, date of birth and email address) was potentially compromised. He therefore pursued a claim for breach of the Data Protection Act 1998 (DPA), misuse of private information, breach of confidence and negligence.

DSG applied for strike-out/summary judgment, save for an aspect of the DPA claim for breach of the data security duty. DSG argued that (i) the claims for breach of confidence and misuse of private information required positive information; and (ii) there is no duty of care in negligence.

The judgment

The application was granted by Mr Justice Sani.

It was held that neither breach of confidence or misuse of private information impose a data security duty on the holders of information (even if private/confidential information) because the causes of action require a positive wrongful act on the defendant’s part.

As to the negligence claim, it was held that there was no common law duty of care (Smeaton v Equifax Ltd [2013]) and a state of anxiety falling short of a clinically recognisable illness does not constitute damage sufficient to complete a tortious cause of action.

Therefore, the only remaining claim was under the DPA and for this reason the case was transferred to the County Court.


This judgment has limited the scope to bring breach of confidence and misuse of private information claims in respect of data protection. This brings with it various costs implications for potential claimants.

This case will hopefully limit causes of action claimed in more such claims to purely statutory claims under the data protection legislation. This should impact the availability of ATE insurance for such claims and reduce the resulting claims for premiums where breach of confidence/misuse of private information cannot be argued. Where damages recoverable are then modest the recoverability of claimant costs will be affected which may reduce the enthusiasm of claimant firms for bringing the claims.

Breach of privacy and other causes of action may continue to be advanced in employee data breach claims which do not involve a third party perpetrator. It will be harder to argue that there is no positive action in these cases but it is still necessary to consider vicarious liability (Various Claimants v WM Morrisons Supermarkets plc [2019]).

While this judgment is another welcome addition to a series of cases providing further clarity around data breach claims, there are still issues which remain unresolved. The Supreme Court decision in Lloyd v Google is expected later this year, and it is hoped that this will resolve the question over whether a data subject may recover damages for loss of control of personal data without proving material damage/distress. The judgment is awaited with interest by corporates and insurers alike.

Related items:

Related content