There have been many recent court decisions in cases relating to data breaches. However, overall, the courts appear to be limiting the scope of data breach claims with a view to ensuring that the floodgates remain closed. These decisions will be a welcome relief for data controllers and processors as a number of themes emerge from recent cases.
The ability to use a representative class action as a vehicle for data breach claims has been curtailed – at least for now.
The Supreme Court's decision in Lloyd v Google decided that a representative class action under the Civil Procedure Rule 19.6 was not possible in that case, which means it may not be possible in most data protection claims (at least until a similar case is re-examined under the new law).
This case involved Mr Lloyd bringing a representative claim against Google LLC on behalf of all persons "with the same interest in the claim". The underlying claim related to Google bypassing the cookie settings on the Safari browser and placing tracking cookies without an individual user’s knowledge or consent. Therefore, the persons "with the same interest in the claim", on behalf of whom Mr Lloyd brought the claim, included a group of over four million affected iPhone users. This was an 'opt-out' class action, meaning that the claim was brought on behalf of all members of the relevant class unless they had specifically opted out.
The Supreme Court refused to allow the case to proceed as a representative class action or to open the floodgates to a large number of small value data breach claims. It held that:
Therefore, the class which Mr Lloyd had brought the claim on behalf of did not all hold "the same interest in the claim". Given that in most scenarios where multiple people are affected, the effect of unlawful processing will be different for each person, this decision will have wide application. However, such an action may still be possible for a very narrow class of individuals who all suffer the same damage or distress as a result of unlawful processing.
Group Litigation Orders
Following the decision in Bennett & others v Equifax, it is also unclear whether the courts are willing to allow data breach claims brought by a large group of claimants via a Group Litigation Order. A Group Ligation Order, is, in contrast to claims under the Civil Procedure Rule 19.6, an 'opt-in' class action which involves claimants agreeing to merge their identical or related claims against a common defendant.
Bennett & others v Equifax involved the application for a Group Litigation Order in respect of over 1000 claims against Equifax following a data beach and a significant ICO fine in 2017. The compromised data involved a combination of the name, date of birth, telephone number and/or the email addresses of the data subjects affected. Equifax argued that preliminary issues on causation and loss should be decided first, however, Senior Master Fontaine, who heard the application, despatched the issue of whether or not a Group Ligation Order should be granted to a Judge to decide. Senior Master Fontaine did state in his judgment, however, that in his view "Claimants are just as entitled to obtain a remedy for claims of low value as claimants with high value claims, but where there are substantial numbers of such claims with common or related issues, an efficient and proportionate way of managing such claims must be found." Whether such an efficient and proportionate way can involve a Group Litigation Order is yet to be determined, so the question of whether a GLO will become the vehicle of choice for mass data litigation remains to be answered.
As has been previously argued by data subjects, in cases involving data breaches, claimants have multiple causes of action available to them in addition to a claim for a breach of Article 5(1)(f) of the UK GDPR. The alternative causes of action can include breach of confidence, misuse of private information, and negligence.
However, when other causes of action have been brought alongside data protection claims, presumably to bolster the claim and increase potential damages, or in order to start the litigation in the High Court, the courts have been reluctant to a doubling or tripling up of the causes of action and have decided that these additional claims are not appropriate. For example:
While the courts have indicated an established threshold for data claims, they have been more reluctant to dispose of claims potentially failing below it, especially having already disposed of concurrent causes of action.
In Lloyd v Google, the Court of Appeal stated that in its opinion there is a threshold of seriousness which applies to data protection claims under section 13 of the Data Protection Act 1998. The Court of Appeal went on to state that "That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied." When considering the appeal, the Supreme Court noted that the Claimant's pleaded case accepted there is a threshold of seriousness and did not consider or decide on whether such a threshold does exist.
However, when the High Court has had to consider whether to strike out data protection claims founded on one off breaches because they fail to reach a de minimis threshold, it has not been ready to do so. For example, in Ashley v Amplifon Limited, which, as stated above, related to a one off breach resulting from the defendant sending the Claimant's employment contract to an employee, the High Court considered whether a de minimis threshold applied, which would allow for the data protection claim to be disposed of pre-trial. Mr Justice Kerr decided that the data protection claim should be allowed to proceed to trial, stating that: "I am not sure, at this stage, that the damages available would be as minimal as the defendant would have it. I remind myself that I must not conduct a mini trial. The defendant's assertion that the claim is not worth the candle would carry more conviction if it had put more of its cards on the table".
It appears from the above, that the High Court is willing to strip away concurrent causes of action where it feels those causes of action add nothing to a data protection claim, but at the same time also appears reluctant to strike out data protection claims, even when they are based on one off data breaches. This means that data breach claims are likely to survive early strike-out, however, the price for that survival is, as shown by the decisions in Warren v DSG Retail Ltd; Ashley v Amplifon Limited; Johnson v Eastlight Community Homes Ltd; and Cleary v Marston (Holdings) Ltd, a transfer of the claim to the County Court Small Claims Track. This generally becomes necessary because the value of the remaining data protection claims is low.
The transfer of a claim from the High Court to the County Court Small Claims Track has a number of consequences.
First, there are severe limits on which costs can be recovered in the County Court Small Claims Track. The general rule under Civil Procedure Rule 27.14 is that no costs may be awarded against the losing party, except for fixed costs for issuing the claim and other court fees. The general rule is only disapplied where the court believes that one of the parties has behaved unreasonably, which is a high threshold.
Second, and as a consequence of the above, claims in the County Court Small Claims Track are not economically viable for claimants. Given the low damages and the lack of costs recoverability, not many claimants would be likely to continue with a data protection claim in the County Court Small Claims Track.
Third, if the court strikes out concurrent claims brought with a data protection claim resulting in a transfer to the County Court Small Claims Track, this will affect a claimant's ability to recover after the event (ATE) insurance premiums. This is because ATE insurance premiums are recoverable in claims that included misuse of private information as a cause of action, they are not recoverable in claims solely for breach of data protection regulations.
Disposing of a data protection claim is a high hurdle unless there is no credible evidence of harm. While it is true that many data breach cases have survived, albeit with a transfer to the County Court Small Claims Track, there is one recent decision in which a claim was struck out in its entirety.
In Rolfe v Veale Wasbrough Vizards, the High Court considered a claim for compensation for a data breach which involved a single email sent by the Defendant to the wrong individual. The Defendant was a firm of solicitors writing to demand payment of outstanding school fees. However, the demand for payment was sent to the wrong email address by accident. The recipient replied promptly, indicating the email was not intended for them, the Defendant swiftly requested the email to be deleted, and the recipient confirmed deletion.
The Claimant's action included claims for breach of the UK GDPR, misuse of private information, breach of confidence and negligence. All of the claims were summarily dismissed, including because:
The Court stated that “In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.”
There is still no guidance from the courts about the value of data breach claims where there the claimant can show damage or distress. However, the recent decisions have given some indication about what damage awards may involve:
In general, the trend of data breach claims in the courts of England and Wales, appears to favour controllers and processors over data subjects. Despite a number of high profile representative actions being started, following the decision in Lloyd v Google, the majority have fallen away and throwing a data breach claim in with a mix of other claims, particularly if damage is found to be exaggerated, rarely proves profitable for claimants. There could well be cases which change this direction of travel in future, but for now, the floodgates remain closed.
Jo Joyce looks at the main considerations when facing a ransomware attack.
1 of 7 Insights
Miles Harmsworth looks at how to tackle the 'human element' of cyber fraud.
2 of 7 Insights
Laura Singleton looks at what cyber insurance covers, what it usually excludes, and at how to get the best product for your business.
3 of 7 Insights
Paul Voigt looks at the incoming NIS2 Directive and how it differs from the NIS Directive.
5 of 7 Insights
Matt Quezada looks at what the UK's PSTI Act means for the security of the Internet of Things.
6 of 7 Insights
Paul Voigt looks at the EU's plans to protect the security of digital products.
7 of 7 Insights