There have been many recent court decisions in cases relating to data breaches. However, overall, the courts appear to be limiting the scope of data breach claims with a view to ensuring that the floodgates remain closed. These decisions will be a welcome relief for data controllers and processors as a number of themes emerge from recent cases.
Litigation vehicles
The ability to use a representative class action as a vehicle for data breach claims has been curtailed – at least for now.
Representative actions
The Supreme Court's decision in Lloyd v Google decided that a representative class action under the Civil Procedure Rule 19.6 was not possible in that case, which means it may not be possible in most data protection claims (at least until a similar case is re-examined under the new law).
This case involved Mr Lloyd bringing a representative claim against Google LLC on behalf of all persons "with the same interest in the claim". The underlying claim related to Google bypassing the cookie settings on the Safari browser and placing tracking cookies without an individual user’s knowledge or consent. Therefore, the persons "with the same interest in the claim", on behalf of whom Mr Lloyd brought the claim, included a group of over four million affected iPhone users. This was an 'opt-out' class action, meaning that the claim was brought on behalf of all members of the relevant class unless they had specifically opted out.
The Supreme Court refused to allow the case to proceed as a representative class action or to open the floodgates to a large number of small value data breach claims. It held that:
- the extent of unlawful processing differed in respect of each case
- the effect of the unlawful processing in question was not uniform on each affected person
- evidence of damage was required from each member of the class, and this would differ in each case.
Therefore, the class which Mr Lloyd had brought the claim on behalf of did not all hold "the same interest in the claim". Given that in most scenarios where multiple people are affected, the effect of unlawful processing will be different for each person, this decision will have wide application. However, such an action may still be possible for a very narrow class of individuals who all suffer the same damage or distress as a result of unlawful processing.
Group Litigation Orders
Following the decision in Bennett & others v Equifax, it is also unclear whether the courts are willing to allow data breach claims brought by a large group of claimants via a Group Litigation Order. A Group Ligation Order, is, in contrast to claims under the Civil Procedure Rule 19.6, an 'opt-in' class action which involves claimants agreeing to merge their identical or related claims against a common defendant.
Bennett & others v Equifax involved the application for a Group Litigation Order in respect of over 1000 claims against Equifax following a data beach and a significant ICO fine in 2017. The compromised data involved a combination of the name, date of birth, telephone number and/or the email addresses of the data subjects affected. Equifax argued that preliminary issues on causation and loss should be decided first, however, Senior Master Fontaine, who heard the application, despatched the issue of whether or not a Group Ligation Order should be granted to a Judge to decide. Senior Master Fontaine did state in his judgment, however, that in his view "Claimants are just as entitled to obtain a remedy for claims of low value as claimants with high value claims, but where there are substantial numbers of such claims with common or related issues, an efficient and proportionate way of managing such claims must be found." Whether such an efficient and proportionate way can involve a Group Litigation Order is yet to be determined, so the question of whether a GLO will become the vehicle of choice for mass data litigation remains to be answered.
Multiple causes of action
As has been previously argued by data subjects, in cases involving data breaches, claimants have multiple causes of action available to them in addition to a claim for a breach of Article 5(1)(f) of the UK GDPR. The alternative causes of action can include breach of confidence, misuse of private information, and negligence.
However, when other causes of action have been brought alongside data protection claims, presumably to bolster the claim and increase potential damages, or in order to start the litigation in the High Court, the courts have been reluctant to a doubling or tripling up of the causes of action and have decided that these additional claims are not appropriate. For example:
- In Warren v DSG Retail Ltd, the High Court concluded that the Claimant (who had his customer data stolen following a malware attack on the Defendant) could only rely on his data protection claim, and not on additional claims for breach of confidence, misuse of private information, and negligence. The Court struck out these three additional claims because the Defendant had not carried out a positive act (being itself the victim of a hack).
- In Johnson v Eastlight Community Homes Ltd, the High Court considered a claim brought in respect of a data breach after one of the Defendant's employees accidentally sent an email attaching a compilation of rent statements, including of the Claimant, to a third party. The Judge found that "taking the claim as a whole, the breach of confidence claim and the claim in privacy fail to satisfy me they add anything useful and independent to the claim arising from the admitted breach of the GDPR."
- In Ashley v Amplifon Limited, the High Court considered claims for breach of data protection rights, misuse of private information, breach of confidence and negligence relating to the Defendant sending the Claimant's employment contract to another employee (of the same name) via email by mistake. The Court struck out the negligence claim and the breach of confidence claim, the latter in particular because it "adds nothing to the claim for breach of the UK GDPR and the tort of misusing the claimant's private information".
- In Graeme Smith & ors v TalkTalk Telecom Group plc the High Court considered a claim based on alleged "mass" data breaches. The claim was both for breach of statutory duty under the Data Protection Act 1998 and for misuse of private information. Despite the Claimant pleading "conduct" on behalf of the Defendant which allegedly amounted to the misuse of private information, the Court found that there was no misuse by the Defendant, with the breaches being the work of third-party hackers. The Court struck out the misuse of private information claim stating that “creating a situation of vulnerability…is simply not a misuse of information within the tort”.
- In Cleary v Marston (Holdings) Ltd the High Court considered a claim brought by an individual whose colleague was incorrectly emailed by the Defendant, a debt recovery company, which had intended to email the Claimant instead. The causes of action included breach of data protection legislation, misuse of private information and breach of confidence.
In striking out the misuse of private information and breach of confidence claims, Mr Justice Nicklin stated: "Those who are advising claimants who want to bring data breach claims need to think carefully about the claims that are included. There can be and often are several overlapping claims: breach of confidence, misuse of private information and breach of data protection legislation. In many cases, this will simply represent three different ways of characterising what is essentially the same complaint. In accordance with the overriding objective, and also in the best interests of the client, it is necessary to consider whether a claim in respect of all three causes of action needs to be pursued. If there is a straightforward claim, for example for a data protection breach, then it may be in the best interests of the client and the simplicity of the litigation to concentrate on only that claim. In straightforward cases, like this one, there may be no real dispute about the data breach. If so, little of any substance or real value is likely to be gained by complicating the claim by bringing additional claims for misuse of private information or breach of confidence."
Is there now a threshold for an actionable claim?
While the courts have indicated an established threshold for data claims, they have been more reluctant to dispose of claims potentially failing below it, especially having already disposed of concurrent causes of action.
In Lloyd v Google, the Court of Appeal stated that in its opinion there is a threshold of seriousness which applies to data protection claims under section 13 of the Data Protection Act 1998. The Court of Appeal went on to state that "That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied." When considering the appeal, the Supreme Court noted that the Claimant's pleaded case accepted there is a threshold of seriousness and did not consider or decide on whether such a threshold does exist.
However, when the High Court has had to consider whether to strike out data protection claims founded on one off breaches because they fail to reach a de minimis threshold, it has not been ready to do so. For example, in Ashley v Amplifon Limited, which, as stated above, related to a one off breach resulting from the defendant sending the Claimant's employment contract to an employee, the High Court considered whether a de minimis threshold applied, which would allow for the data protection claim to be disposed of pre-trial. Mr Justice Kerr decided that the data protection claim should be allowed to proceed to trial, stating that: "I am not sure, at this stage, that the damages available would be as minimal as the defendant would have it. I remind myself that I must not conduct a mini trial. The defendant's assertion that the claim is not worth the candle would carry more conviction if it had put more of its cards on the table".
Transfer of claims
It appears from the above, that the High Court is willing to strip away concurrent causes of action where it feels those causes of action add nothing to a data protection claim, but at the same time also appears reluctant to strike out data protection claims, even when they are based on one off data breaches. This means that data breach claims are likely to survive early strike-out, however, the price for that survival is, as shown by the decisions in Warren v DSG Retail Ltd; Ashley v Amplifon Limited; Johnson v Eastlight Community Homes Ltd; and Cleary v Marston (Holdings) Ltd, a transfer of the claim to the County Court Small Claims Track. This generally becomes necessary because the value of the remaining data protection claims is low.
The transfer of a claim from the High Court to the County Court Small Claims Track has a number of consequences.
First, there are severe limits on which costs can be recovered in the County Court Small Claims Track. The general rule under Civil Procedure Rule 27.14 is that no costs may be awarded against the losing party, except for fixed costs for issuing the claim and other court fees. The general rule is only disapplied where the court believes that one of the parties has behaved unreasonably, which is a high threshold.
Second, and as a consequence of the above, claims in the County Court Small Claims Track are not economically viable for claimants. Given the low damages and the lack of costs recoverability, not many claimants would be likely to continue with a data protection claim in the County Court Small Claims Track.
Third, if the court strikes out concurrent claims brought with a data protection claim resulting in a transfer to the County Court Small Claims Track, this will affect a claimant's ability to recover after the event (ATE) insurance premiums. This is because ATE insurance premiums are recoverable in claims that included misuse of private information as a cause of action, they are not recoverable in claims solely for breach of data protection regulations.
Disposing of a data protection claim is a high hurdle unless there is no credible evidence of harm. While it is true that many data breach cases have survived, albeit with a transfer to the County Court Small Claims Track, there is one recent decision in which a claim was struck out in its entirety.
In Rolfe v Veale Wasbrough Vizards, the High Court considered a claim for compensation for a data breach which involved a single email sent by the Defendant to the wrong individual. The Defendant was a firm of solicitors writing to demand payment of outstanding school fees. However, the demand for payment was sent to the wrong email address by accident. The recipient replied promptly, indicating the email was not intended for them, the Defendant swiftly requested the email to be deleted, and the recipient confirmed deletion.
The Claimant's action included claims for breach of the UK GDPR, misuse of private information, breach of confidence and negligence. All of the claims were summarily dismissed, including because:
- Information of minimal significance was included in the email sent to the wrong recipient. For example, the email did not include any information which was overtly personal, such as the Claimant's bank details.
- The Defendant took swift action and asked the recipient to delete the email and the recipient swiftly confirmed to have done so. There was no evidence of further transmission or any consequent misuse.
- The Claimants' suggestion that the minimal data breach had caused significant distress and worry to them was implausible and plainly exaggerated.
The Court stated that “In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.”
Damages awards are smaller and narrower, unless for damage to reputation
There is still no guidance from the courts about the value of data breach claims where there the claimant can show damage or distress. However, the recent decisions have given some indication about what damage awards may involve:
- In Lloyd v Google, the Court confirmed that damages for loss of control are not available in data protection claims.Though it must be noted that this claim was brought under the Data Protection Act 1998, and there have been no cases under the UK GDPR or the Data Protection Act 2018 on this point.
- In Aven & Ors v Orbis Business Intelligence Ltd, a case involving an inaccuracy claim relating to the processing of the Claimants' data in an investigation report produced by the defendant, the Court confirmed that damages for damage to reputation are available and awarded £18,000.
- In Driver v Crown Prosecution Service, the Court considered a claim relating to an email sent by the CPS to a third-party which did not name the claimant but stated that: “A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration”. The recipient later communicated the contents of that email with commentary of his own, including the claimant's name, to others. In awarding damages at the level of £250, Mr Justice Julian Knowles stated: “I am prepared to accept that the Claimant would have experienced a very modest degree of distress upon discovering that the CPS’s email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him. But for the reasons I have given I reject his evidence that it … could reasonably or properly have caused him anything like the level of anguish which he claimed…".
Good news for controllers and processors
In general, the trend of data breach claims in the courts of England and Wales, appears to favour controllers and processors over data subjects. Despite a number of high profile representative actions being started, following the decision in Lloyd v Google, the majority have fallen away and throwing a data breach claim in with a mix of other claims, particularly if damage is found to be exaggerated, rarely proves profitable for claimants. There could well be cases which change this direction of travel in future, but for now, the floodgates remain closed.