Data breach litigation: a review of recent legal developments in the UK - Part 2
Stadler v Currys Group Limited [31.01.2022]
Our previous article looked at the UK courts’ approach to data breach claims in 2021. It was clear from the judgments handed down that a tough line was being taken to discourage abuse of the court system, particularly with regard to the potential costs recoverable for low value claims. This legal trend has continued into 2022, as evidenced in the case of Stadler v Currys.
In this recent case, the claimant returned a smart TV to the defendant for repair. The defendant advised that the TV could not be repaired economically and offered the claimant a voucher, which he accepted. The defendant then refurbished and sold the TV but did not perform a factory reset and, as a result, the subsequent purchaser was able to buy a movie through the TV using the claimant’s Amazon account.
Although the defendant reimbursed the claimant £3.49 for the cost of the film and gave him a £200 shopping voucher as a gesture of goodwill, the claimant instructed solicitors and issued proceedings in the High Court seeking up to £5,000 in damages for misuse of private information, breach of confidence, negligence and breach of data protection law with injunctive relief.
The defendant’s application to strike out the claim and was successful in part, but failed in relation to the claim for breach of data protection law.
The judge did, however, transfer the case to the County Court and suggested that it should be allocated to the Small Claims Track. He made it abundantly clear that claims of this nature should not be issued in the High Court:
“The letter before action in this case informed the defendant that proceedings would be issued in the High Court and representations made that it be allocated to the Multi-Track due to the "complexity of the legal issues" and because the claimant will be seeking declaratory and injunctive relief.
The letter before action also placed the defendant on notice that the claimant is funded by a post-April 2019 conditional fee agreement. The solicitors informed the defendant that their client "will be fully protected by ATE insurance all the way to trial with a staged policy premium. As this matter is a privacy claim, such premium will be recovered from you at the successful conclusion of this said case. The longer that this case is defended/not resolved, the more the said premium will increase".
In its reply, the defendant explained to the claimant's solicitor that judges of this court have made clear recently that these sorts of modest value claim are not suitable for the High Court, or indeed the multi-track. It also drew the claimant's attention to the obligation on ensuring cases are justly and proportionately managed in accordance with the overriding objective. It is regrettable that the claimant did not take on board this sound advice.
There does not appear to be any reason for this claim to have been issued in the High Court. Whilst defamation claims must be issued in the High Court (with limited exceptions), the same is not true in respect of the causes of action pursued in this case.”
He went on to suggest that issuing such claims in the High Court and pleading multiple causes of action, the claimant failed to comply with the overriding objective of the Civil Procedure Rules:
“This is a very low-value claim. Consumer disputes of equivalent complexity are heard every day in the County Court on the small claims track and do not need to be dealt with by a High Court judge.
Whilst there will often be good reasons for including more than one cause of action in a claim, especially where there are differences between them in respect of proof of damage, or heads of loss, parties must always conduct litigation proportionately and in accordance with the overriding objective. By including multiple causes of action in respect of this low value claim, the claimant has increased the complexity of the proceedings unnecessarily.”
This case, alongside the 2021 decisions, suggests that the High Court will not tolerate exaggerated or needlessly complicated data breach claims and does not want the Media and Communications List to be clogged up with claims of this nature.
In cases of isolated breaches it is clear that in the vast majority of cases, claims should be issued in the County Court and allocated to the Small Claims Track. It is also clear that for most cases, the statutory remedies available under the GDPR and the DPA 2018 are adequate and that over-pleaded claims may be viewed as attempts to artificially complicate litigation and/or drive up costs. Claims issued in the High Court following such breaches are liable to be re-allocated to the County Court and claimants who do so without good reason are at risk of costs sanctions.
No doubt the tactics adopted by claimant law firms will evolve in response to these decisions, but their appetite to take on claims for isolated, low-level breaches is likely to diminish - for the time being.
Data subjects are entitled to have their data processed in accordance with the law, and the remedy of damages for distress is an important tool in holding data controllers to account when they fail to do so. However, any claims for distress should be brought in the appropriate forum, and at proportionate cost.
- Data breach litigation: a review of recent legal developments in the UK - Part 1
- Lloyd v Google Supreme Court ruling – a sigh of relief for data controllers
- High Court judgment considers breach of confidence and misuse of private information in data breach claim
- Potential insurance issues arising from corporate forum shopping for favourable data protection laws
- Kennedys cybersecurity and privacy (US) 2021 year in review