Low value data breach claims: an increasingly limited menu for data breach claimants

Over the last few years English data protection litigation has been dominated by the saga of Lloyd v Google and the consequent impact that case had on many other pending class actions. Certainly, that case had a huge impact on this area of litigation, but we shouldn’t forget the little guys. At the other end of the scale, High Court judges and masters have been quietly beavering away tackling a series of data protection claims which are far smaller in value but equally challenging conceptually. These individual claims, viewed collectively, tell an interesting story of their own about how the judiciary views the increasing trend for low value post-data breach claims and their efforts to stem the tide in this area. In the wake of the recent Farley v Paymaster [2024] case, a timely reminder that claimants and their lawyers haven’t yet given up on data protection-based claims, we attempt in this article to summarise some of the key takeaways that have come out of this thread of caselaw in recent years. For in-house legal teams on the receiving end of litigation threats post data-breach, these are worth bearing in mind.

Throw away the kitchen sink

The courts have made clear that they have a strong aversion to claimants unnecessarily over-complicating their claims by including multiple and overlapping causes of action. A trend in data protection claims was for claimants to issue claims which allege GDPR breaches, misuse of private information (“MoPI”), breach of confidence and negligence. In essence, claimants hedged their bets and used this practice to distort the complexity of the claim in order to bump the claim into the Fast/Multi Track where costs escalate and are recoverable - avoiding the Small Claims Track where they generally are not. However, the courts are sending a clear message that claimants should refrain from this tactic.

In the case of Darren Lee Warren v DSG Retail Limited [2021], the court gave short shrift to the claimant’s multi-limbed claim (data protection claim, breach of confidence, MoPI and negligence) following a cyberattack in which the claimant’s personal data was compromised. In particular, the court rejected the notion that negligence was appropriate for data breach claims. This was because there is no claim in negligence where the incident complained of was covered by data protection legislation. In respect of the breach of confidence and MoPI claims, these did not hold any water either because the data breach was a result of cybersecurity failure - equivalent to leaving the back door open so thieves can get in. The court made clear that, for both of these torts, there must have been some form of positive act by the claimant which is almost often absent in this type of data breach claim. This reasoning was followed in Stadler v Currys [2022] (another multi-limbed claim) which found that a failure to wipe the claimant’s data from a TV before it was resold was not a positive act, and therefore not a MoPI/breach of confidence.

MoPI, then, is not automatically ruled out in a post-data breach claim. It is often included as a cause of action because it enables claimants to recover ATE insurance premiums which they have usually paid to protect them against the costs of the litigation (there is a question mark as to whether such premiums are recoverable in data protection claims). However, the need for a positive act certainly narrows the applicability of this tort and the recent Farley decision takes another swipe at this. In Farley, a group of claimants brought both a data protection and MoPI claim after letters containing the claimants’ personal data were inadvertently sent to incorrect addresses. However, the judge held that, for the majority of the claimants, neither tort had been made out because they had not proved that the personal data in question had actually been read by those to whom the letters were incorrectly sent. The court rejected attempts by the claimants to infer that this had happened. We can conclude that, in scenarios where either a would-be defendant has merely omitted to do something (such as comply with a security duty) or has mistakenly sent or made available information to the wrong recipients (but where there is no proof that the information has been accessed or read), such a claim is unlikely to succeed. Given how common these two underlying fact patterns are in post-data breach claims, claimants may now really struggle to find legitimate grounds to bring a MoPI claim. Without this claim, though, many claimants shirk at the high ATE premiums they’re forced to pay, which can be seen as one sunk cost too many for relatively low-value litigation.

Threshold of seriousness still the order of the day

Another obstacle for hopeful data protection claimants is the “threshold of seriousness” applicable to data protection claims. Pre-Lloyd, many data protection litigants sought to make claims on the basis of very minimal damage or indeed no damage at all – rather, a mere loss of control of their data was the “damage”. Lloyd made clear that loss of control was not a compensable harm, so claimants focussed their assertions on having suffered some form of low-level “anxiety” as a result of data breaches instead.

Whether or not this sort of harm should be compensable is a question that has, on several occasions, been answered by the High Court in the negative. For example, Rolfe v Veale Wasbrough Vizards LLP [2021] concerned a letter sent by solicitors on behalf of a school concerning unpaid school fees, which was sent to the wrong parents due to a typographical error in an email address. The parents (who should have received the letter) brought a data breach claim against the solicitors, but the claim was dismissed following an application for summary judgment by the defendants on the basis that the harm suffered by the breach was minimal. The Court agreed and strongly remarked that “no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied” and “the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial”.

Similarly, in Johnson v Eastlight Community Homes Ltd [2021], the defendant sent an email to one of their customers, inadvertently attaching a compilation of rent statements of other customers, which included the claimant's rent statement. The sole recipient of the email immediately notified the defendant of the error by phone and was asked to delete it, which they did. The inadvertent disclosure lasted less than 3 hours. The Court found that the nature of the data disclosed was relatively anodyne (e.g. the claimant’s address, which was noted to have been included on the claimant’s Claim Form and witness statements in any event) and that it did not contain anything particularly sensitive or which would create a risk of fraud. Consequently it held that the damage was “more in the realms of the unknown or the hypothetical than in reality,” and was “historic rather than current”.

The Supreme Court in Lloyd drew a line under all of this and confirmed that “a threshold of seriousness must be crossed” in relation to non-material harm suffered as a result of a breach of data protection law. Several more cases since have been put to bed on this basis, and the threshold remains a useful element of the defendant toolbox.

The CJEU threw a slight spanner in the works in relation to the question of a de minimis level of harm, in its decision in Österreichische Post AG (the “Austrian Post Case”) at the end of last year. This was a claim seeking compensation for (fairly minimal) non-material damage suffered as a result of non-consensual processing of personal data. Here the Court found that it would be contrary to the broad concept of "damage" in Article 82 of the GDPR – and undermine consistency in approach in member states – if the concept of "non-material damage" were subject to a threshold of seriousness under EU law. This has left the door open in EU countries for data breach claimants to argue that even minimal harm should be compensated and led data protection litigators in England to wonder whether our own courts might take another look at this issue. The opportunity came in the Farley case, but was not taken by the judge in that claim, who deemed it unnecessary to opine on the issue where he had found other grounds to strike out. For the time being, then, the threshold remains, providing potentially more protection to defendants in English courts than in their EU counterparts.

Proportionality remains key

As explained above, a key tactic of claimant law firms has been to “beef up” what are simple low value data protection claims with multiple causes of action. One reason for this is to attempt to justify filing such claims in the High Court, where costs escalate at an early stage, providing a potentially bigger prize in terms of cost recovery for claimant lawyers later down the line. In reality, however, most post data breach claims, particularly those where only low-level harm is alleged, belong in the County Court, on the Small Claims Track (which can hear claims up to a value of £10,000). However, claimant lawyers are not fans of this track – there is no costs recovery for these claims, meaning their client (or their insurers) must foot the bill whether they win or lose. This isn’t as attractive a prospect.

As above, though, the High Court’s patience has waned in relation to these sorts of claims. Many are now struck out if they do not meet the threshold of seriousness and/or because they are viewed as an abuse of process – put another way “the game is not worth the candle”. However, given the availability of the Small Claims Track route, and the fact that County Court judges are becoming increasingly au fait in handling cases of this nature, dismissal of low-level cases is by no means guaranteed. In fact, the High Court has stressed that the Small Claims Track provides a cost-effective forum for the resolution of low-value claims and seems keen to ensure that justice can be accessed, just in a proportionate manner. This has now become the guiding principle emphasised in low-value data breach judgments of late.

A good example of this is Johnson (noted above), which was a multi-limbed claim brought in the High Court for what was a relatively minor and one-off data breach incident. Here the Court declined to strike out the claim/grant summary judgment on the GDPR claim (but struck out all other limbs for the reasons identified above) and instead reallocated the claim to the County Court Small Claims Track with the Master (judge) noting that he was “mindful that the court should strive to provide a remedy to any litigant if it can”.

Anomalies remain, however. In the case of Driver v Crown Prosecution Service [2022], a case in which the CPS shared certain information pertaining to a criminal investigation with a third party who was not legally entitled to receive it, the harm asserted was only minor distress. Despite this, the High Court did not transfer the claim to the County Court, but instead heard it and awarded £250 to the claimant in damages. Whilst this provides a useful starting point for quantification of distress damages, it is hard to square off the rationale of permitting the parties to spend tens of thousands of pounds (if not more) in High Court proceedings, all for the recovery of the grand sum of £250.

The judgment in Farley reiterates the need for proportionality in the determination of low-value data breach claims. Whilst the judge in that case made clear that strike out on abuse of process grounds will not be made purely because the amount of damages sought is small, it did suggest that costs incurred or likely to be incurred in such litigation should be viewed through a critical lens to ensure proceedings were not permitted to continue in a forum which is simply not proportionate-by-design for low value claims.

Conclusion

The “gold rush” of data protection litigation which we witnessed pre-lockdown is, as a result of the above, definitely on the wane. However, as this area of litigation settles down, it’s not only defendants who’ve learned important lessons which help hone their litigation tactics. Claimants have too and, whilst the swathe of cases mentioned above in the main are not favourable to them, they are now becoming more confident as to what can work. We don’t therefore expect a complete halt to claimants’ attempts to recover compensation any time soon. We do expect more considered, sophisticated approaches to emerge, and potential defendants should therefore remain vigilant.

To discuss any issues in this article further, please get in touch with the authors.