Since the introduction of the Data Protection Act 2018 (DPA) and the GDPR (now the UK GDPR following Brexit), there has been a significant increase in claims arising from minor personal data breaches.
These claims typically follow a similar pattern.
- A lengthy letter of claim will be sent alleging breaches of the DPA and UK GPDR, as well as breaches of confidence and privacy, and negligence.
- The letter will say that the claimant has suffered distress as a result of these breaches and that the claimant will commence proceedings in the High Court if liability is not admitted and damages paid.
- The letter will also indicate that the claimant has entered into a conditional fee arrangement (CFA) and taken out "after the event" insurance (ATE Policy) so that the claimant will not have to pay their own legal costs, or those of the defendant, even if they lose the case. By pursuing a breach of confidence and privacy claim, the claimant can seek to recover the cost of the ATE Policy, whereas this is not possible for claims under the DPA and UK GDPR alone.
There is a rudimentary strategy behind these claims. The claimant has no financial risk because of the CFA and the ATE Policy, whilst the defendant has to incur legal costs from the outset in defending the claim. These costs can quickly become disproportionate to the value of the claim, meaning the defendant will often feel compelled to settle the claim at an early stage for commercial reasons.
Until recently, there has been a lack of case law to encourage organisations to fight these minor data breach claims. Helpfully, that has now changed as a result of the three cases that we discuss below.
In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the defendant was the victim of a cyber-attack which resulted in the personal data of its customers being compromised. The claimant duly issued a claim for breaches of the Data Protection Act 1998 (as was the applicable legislation at the time), misuse of private information, breach of confidence and negligence.
However, the Judge struck out the claims for breach of confidence and privacy because there had been no “positive misuse” by the defendant of the claimant’s data. Rather, this was the action of a rogue third party. As a result, the claimant lost the ability to recover his ATE Policy, therefore creating a financial barrier and greater degree of risk for claimants who may be contemplating similar claims.
In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the Defendant accidently sent a letter (containing generic personal data) by email to the wrong person. The Defendant quickly established with the recipient that the email had been sent in error, with the recipient confirming that they had deleted the email. The claimant nevertheless issued a claim for damages for misuse of confidential information, breach of confidence, and for damages under the DPA and UK GDPR.
On this occasion, the Judge dismissed all the claims for damages (before the case got to trial), stating strongly that "We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied."
The Supreme Court then delivered its long-awaited judgment in Lloyd v Google LLC [2021] UKSC 50. This case related to allegations that Google had secretly tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent. The claimant argued, amongst other things, that every person affected by this should be compensated by Google for the loss of control of their data, without having to prove that any actual damage had been caused to them personally.
After many years of litigation, the Supreme Court rejected this notion and reinforced the principle that a claimant has to prove they have suffered material damage (i.e. financial loss) and/or distress above a minimum threshold to have a viable data breach claim.
The significance of these cases is that organisations can now take a more robust approach to defending minor data breach claims when the data breach is obviously trivial, and where the claimant has failed to provide any evidence of actual loss or distress. We also expect there will be a reduction in these minor data breach claims generally, as it may no longer be economical for claimant law firms to run these claims on a CFA basis.
However, these cases do not provide a complete shield. It remains important for organisations to react quickly to any form of data breach – both in terms of addressing the issue with the affected person (where appropriate) and taking steps to rectify the breach whilst mitigating the risk of it being repeated. Minor data breaches will continue to happen, and whilst it is hoped the Courts will now be more inclined to dismiss opportunistic claims for what they are, there may be less sympathy for an organisation which does not learn from its mistakes.
