When the Data Protection Act 2018 (DPA 2018) came into force, bringing the General Data Protection Regulation (GDPR) into English law, there was speculation that the floodgates were about to open for data breach claims from individuals against businesses misusing personal data. This fear has not been realised. Recent cases indicate that only data breaches with a serious impact on an individual will be worth litigating, and that care is needed both in the choice of court and the costs incurred. 

Patrick Wheeler

Patrick Wheeler

Rhiannon Thompson

Rhiannon Thompson

The right to receive compensation for damage suffered as a result of a breach of the UK GDPR has its statutory basis in Article 82. Cases decided under the previous law – the Data Protection Act 1998 (DPA 1998) – need to be viewed with caution but many principles have carried through to the current law. This includes the issue of compensation for distress as well as material damage – a position confirmed and clarified in Vidal-Hall v Google Inc [2015] EWCA Civ 311. In that case the claim related to distress and anxiety alone. The court held that there was no requirement to prove financial loss in order for damages to be payable.

The effect of the decision in Vidal-Hall was to encourage an increase in the number of claims brought for damages for distress alone. Recently, however, the courts appear to have begun to take a more stringent approach both to liability and the assessment of damages in such claims, in order perhaps to discourage claims where there has been a technical breach, but the ‘damage’ (distress) is arguably not significant. The courts have also been keen to channel claims towards the county court and away from the High Court, and have criticised the level of costs incurred in this type of litigation.

In Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809, the defendant had sent a letter regarding unpaid school fees to a mistakenly typed email address. The recipient quickly notified the sender of the error, and, on the defendant’s request, then confirmed that the email had been deleted. The claimants (parents and daughter) brought a claim for misuse of confidential information, breach of confidence, negligence and damages pursuant to Article 82 of the GDPR and section 169 of the DPA 2018. The defendants applied for summary judgment, arguing that any damage or distress to the claimants was de minimis and that therefore the claim had no prospect of success. Master McCloud granted the defendant’s application, saying ‘no person of ordinary fortitude would reasonably suffer the distress claimed arising in these incidents in the 21st century, in a case where a single breach was quickly remedied. … In the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, frankly, trivial’. The claimants were ordered to pay defendant costs, and on the indemnity basis.

Similar conclusions were reached in Johnson v Eastlight Community Homes [2021] EWHC 3069, a judgment handed down very shortly after Rolfe. The breach related to the incorrect addressing of an email (subsequently confirmed to have been deleted) containing financial information. The damages claim was limited to £3,000 but was issued in the High Court, with the claimant’s budgeted costs amounting to over £50,000. Master Thornett refused the defendant’s application for strike-out but confirmed the application of the de minimis principle and ordered the case be transferred to the county court, commenting: ‘The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse.’

Even where claims survive in the High Court, and the decision favours the claimant, actual damages awarded may be very low. In Geoffrey Driver v Crown Prosecution Service [2022] EWHC 2500 (KB), the claimant (a prominent local politician) sought damages not exceeding £2,000 (along with declaratory relief) after a member of staff at the CPS sent an email to a third party (who had apparently requested the information) regarding his involvement in a local government corruption scandal and criminal investigation. Applying the provisions of the DPA 2018 (the data processing having been held to be for law enforcement processes), Knowles J held that there had been a data breach but that it was at the ‘lowest end of the spectrum’ and accordingly awarded damages of £250.

The judicial direction of travel seems to discourage individual claimants seeking to bring low-level claims for breaches of data protection legislation – especially when brought in the High Court along with allied claims for breach of confidence or misuse of private information. While this may be welcome news for data controllers, limiting potential liability for minor or inadvertent breaches which are quickly remedied, it poses challenges for claimants who have suffered more significant distress as a result of a breach in bringing and managing a complaint in a cost-effective way.

Group litigation was seen as an opportunity for large numbers of people affected by a common data breach. However, this avenue was dealt a blow by the Supreme Court in Lloyd v Google [2021] UKSC 50 that, under the relevant provisions of the DPA 1998, compensation was not available for pure ‘loss of control’ of personal data, where damage (material or otherwise) could not be shown. Relatedly, therefore, it would be difficult to pursue such claims as part of group litigation, as individual assessments of damages would be required. The courts seem likely to interpret the corresponding provisions of the DPA 2018 in the same way.

It might seem from these decisions and judicial guidance that there is no value in a claim for the consequences of a data breach. That is probably a misreading of the position, since recent cases seem to have been either factually or procedurally defective, but it will require claimants and their advisers to give careful thought to what kind and level of damage should be pleaded and the most appropriate forum for the dispute to be heard. Costs significantly in excess of the level of damages will also be most unlikely to be recoverable.

 

Patrick Wheeler is a partner at Collyer Bristow and a committee member of the London Solicitors Litigation Association. Rhiannon Thompson is an associate at Collyer Bristow