Personal data breach claims come in many different forms: a letter sent to the wrong address, personal information disclosed to a third party, but the unanswered question, is how do these often small, sometimes relatively insignificant breaches, attract such significant damages?
These claims have a reputation of “history repeating itself”, a substantial letter of claim alleging breaches of UK General Data Protection Regulation (GDPR) and Data Protection Act (DPA), breaches of privacy and confidence and negligence. The claimant has usually suffered a degree of distress as a result of the breaches, and a threat of proceedings being commenced in the High Court if liability is not admitted is made accompanied by a demand for payment of damages.
Data breach case law
Unfortunately, unlike other areas of litigation data breach claims do not have years of case law for legal practitioners to rely on when considering the matter at hand particularly in relation to defending such claims, which has left something of a grey area surrounding this area of law.
Fortunately, a number of recent cases have helped to shed some clarity on what exactly the courts will consider in data breach claims.
In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the defendant had sent a letter containing generic personal data to a third party by email. The defendant had established its error fairly quickly, and the recipient had confirmed deletion of the email.
The claimant in the case, who was the subject of the generic personal data, pursued a claim for damages for misuse of the confidential information, a breach of its confidence, and damages under UK GDPR and DPA.
The judge dismissed the claimant’s claim in its entirety, stating that there had been a “plainly exaggerated claim for time spent by the claimants dealing with the case” and a “frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them “feel ill””.
In Lloyd v Google LLC [2021] UKSC 50, the Supreme Court was concerned with allegations that Google had tracked the internet activity of millions of iPhone users and used the data collected for commercial purposes without the users’ knowledge or consent. The claimant sought to argue that all users that had been affected by this should be compensated by Google, and that no actual damage needed to be proved by the individuals.
The Supreme Court ruled that a claimant has to prove they have suffered material damage, financial loss or otherwise in order for their claim to succeed. The court found that a breach of Section 13 of the Data Protection Act 1998 “cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned”. Therefore, in order for the claim to succeed, the claimant would have had to demonstrate that the defendant had made some unlawful use of the personal data relating to him and that he had actually suffered damage as a result.
In the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) the claimant sought damages from the defendant who had been the victim of a cyber-attack in which its customers data had been compromised. The basis of the claim was that there had been misuse of private information, breach of confidence, and negligence.
Here, the court struck out the claims for breach of confidence and privacy as there had been no “positive misuse” by the defendant of the claimant’s data.
What does this mean for defendants in data breach claims?
These cases have paved a way for defendants faced with these data breach claims to be able to take a more vigorous approach at defending them, especially where those claims are “minor”, and the breach is trivial in nature. If there has been no evidence of actual loss or distress, then the defendant is said to have more of a “shield” to these claims than they otherwise would have done so, prior to the above rulings.
If you are faced with a data breach claim, our commercial litigation solicitors can assist you with defending your organisations rights. We always look to find a solution with the least possible disruption to your work or business. Call us today on 0161 696 6170.
Comments