2021 was generally a bad year for Claimants pursuing data breach claims through the courts. The year ended with two further cases that continued to constrain the types of claims that can be brought and, perhaps more importantly, cast doubt on whether they are economically viable for Claimants and their lawyers to pursue. We highlight them below and explain where this leaves us as we progress through 2022.
Lloyd -v- Google was probably the stand-out case of the year, where the Supreme Court dealt a blow to the viability of collective redress for large groups of individuals seeking a remedy for misuse of their personal data and private information. See our article here.
Now, two further decisions have added to the armoury of defendants seeking to fight off low value individual claims.
The first case was Ashley -v- Amplifon Limited. At the relevant time, the Claimant was employed by the Defendant. By mistake, the Defendant sent the Claimant’s employment contract to another employee via email. That employee then informed the Claimant, who in turn contacted the Defendant. The Defendant responded to the Claimant, apologising for the error, and saying they would ask the other employee to delete the email. There was a dispute about when the Defendant subsequently contacted the other employee asking them to delete the information and a further dispute about whether the Claimant was told about this. The Claimant’s case was that he heard nothing about the steps taken to delete the email until he received the Defendant’s formal Defence to his claim over a year later. The Claimant said this failure to keep him informed added to his distress.
The Claimant sent a letter before claim ten months after the incident and then issued proceedings three months after that in the High Court Media and Communications List. The claim was for breach of the UK GDPR, negligence, breach of confidence and misuse of private information (MPI). Damages and an injunction were sought.
The Defendant applied for a strike out / summary judgment of the claim on the basis that even if liability were to be established then no or only very minimal damages would be likely to be awarded, making it disproportionate in terms of costs and resources for the proceedings to continue (the so-called “Jameel principle”, named after the defamation case which first established it). Alternatively, the Defendant said the infringements were so de minimis that a court should not allow the claim to proceed (the “de minimis principle”), citing prior case-law that a one-off accidental data breach that was quickly remedied should not attract any compensation.
The Claimant effectively conceded that the negligence claim could not be pursued. The Judge also struck out the claim for breach of confidence as it added nothing to the GDPR and MPI claims. The claim for an injunction was also struck out as there was no evidence of a risk that the incident would be repeated.
This left the claims for breach of GDPR and MPI. The Judge referred to prior case law that the application for strike out/summary judgment essentially turned on whether or not there is a court process that could be used in a proportionate way to determine a low value data breach claim like this. The Judge decided to transfer the GDPR and MPI claims to the County Court Small Claims track on the basis that it was not possible to determine without a full trial whether the Jameel or de minimis principles applied. In particular, the Judge took into account that there was a conflict of evidence about who did what and when to remedy the incident and whether the Claimant was kept informed, which in turn played into questions about whether the Claimant suffered compensable distress.
The second case was Johnson -v- Eastlight Community Homes Limited. It concerned information about the Claimant, a tenant of the Defendant, sent in error to another tenant. The information consisted of the name, address and rent payments made by the Claimant (described as non-sensitive and routine data by the court). On receipt of the information the other tenant immediately informed the Defendant about the error and was asked by the Defendant to delete the email. The incident took less than three hours to resolve. The incident was reported to the Information Commissioner’s Office, who decided to take no action. It was also reported to the Claimant.
The Claimant sent a letter before claim two months later and then issued proceedings four months after that in the High Court Media and Communications List. The claims were for Misuse of Private Information (MPI), breach of Article 8 of the European Convention on Human rights, breach of confidence, negligence, and breaches of the Data Protection Act 2018. The Claimant sought damages not exceeding £3,000 as well as an injunction to prevent a repetition of the incident. The Claimant estimated the total costs to the end of a trial at in excess of £50,000.
The Defendant applied for a strike out / summary judgment of the claim on the basis of the Jameel and de minimis principles referred to above.
The Claimant alleged distress based on her evidence that she had been in an abusive relationship and her former partner might now find out where she is living as a result of the data breach revealing her address. The Court treated this evidence with scepticism when viewed against the facts and that the Claimant had taken no steps to protect her identity or where she resided when bringing this claim.
The claim in negligence was withdrawn at the hearing when it was recognised that it was hopeless in light of the decision in Warren -v- DSG.
The court decided that the claims in breach of confidence, MPI and breach of Article 8 added nothing to the data protection claim, which was the focus of the case, and so those additional claims were struck out.
The Court followed previous case law and said that, contrary to the Claimant’s arguments, the de minimis principle and the Jameel principle apply to cases involving data protection breaches. As explained above, the Court treated the evidence of the Claimant’s distress with scepticism. However, by a “narrow margin” the Court was not persuaded to strike out the claim entirely, provided that it was heard in a court more appropriate to dealing with low value claims. Accordingly, the Court required the surviving data protection claim to be transferred to the County Court Small Claims Track. The Court went so far as to say that the commencement of the claim in the High Court had been a form of procedural abuse.
Where are we in 2022?
Taking all of these cases together, we can draw the following conclusions:
It is difficult to see how individual claims can now be brought anywhere other than the County Court Small Claims Track, except in exceptional cases. The ability to recover the costs of bringing a claim in this Track are severely limited and probably make such claims economically unviable for many Claimants and their lawyers. However, if Claimants are determined to pursue them come what may, then Defendants also face the prospect of irrecoverable costs;
If claims are brought, they will need to be constrained to compensation for breaches of GDPR and possibly MPI only, so focussing the legal arguments much more narrowly. Where the claims are brought after a third party hacking incident they can only proceed on the basis of GDPR;
How incidents are initially handled is going to be very important in determining whether claims can be pursed at all or limiting the distress and hence the compensation that can be recovered. The issues in Ashley -v- Amplifon that played into the decision to allow the case to proceed in the County Court included that it wasn’t clear that the incident had been dealt with by the defendant promptly, that the claimant was not kept informed and re-assured throughout, and that records relating to how the incident had been managed had not been maintained. Contrast this with Rolfe -v- Veale Wasbrough Vizards where the way the incident was dealt with was an important factor in the claim being struck out. This emphasises that data breaches are as much about how they are responded to as why they occurred in the first place;
We will have to wait and see what the impact of Lloyd -v- Google is on collective claims. In the absence of representative claims for compensation, Claimants might turn to a Group Litigation Order model or even representative claims on liability with individual claims for compensation following on. However, the economics of this for Claimants, lawyers and their Litigation Funders are not straightforward;
We still do not have a clear understanding of what the tariff for compensation should be where the de minimis threshold for a data breach claim is satisfied. Even in the more serious cases, we seem to be at a level of about £3,000. This year we might see some more cases which provide a better idea of judicial thinking on this, assuming Claimants are brave enough to pursue those claims in court.
If you require further information about anything covered in this briefing, please contact Ian De Freitas, Kay Lubwika Bartlett or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2022