Data Protection Claims - De Minimis Principle

Article

25 October, 2021

Ella Dudley

Paralegal

Data protection laws evolved substantially in 2018 with the implementation of the General Data Protection Regulation (GDPR). In this article we will explore the basic data protection principles, and things to consider when considering bringing a claim against an organisation for breaching data protection laws.

What is GDPR?

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data (a data 'controller' or 'processor') has to follow strict rules called 'data protection principles'. For example, they must make sure the information is used fairly, lawfully, and transparently. There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, and health. There are a few different types of information that could be classified as sensitive data and the examples referred to do not represent an exhaustive list. It is cases involving the disclosure of this data that tend to be more valuable.

There are significant factors to consider when approaching the prospect of bringing a data protection claim against an organisation that are a data controller/processor, we will look at this in more detail within this article.

Claiming Compensation

The GDPR provides you with a right to claim compensation from an organisation if you have suffered damage because of that organisation breaching data protection law. This includes:

Material damage, for example a loss of money
Non-material damage, for example you have suffered a great deal of distress because of the breach.

You do not have to make a court claim to obtain compensation - the organisation may simply agree to pay it to you. However, if it does not agree to pay, your next step would be to pursue a claim through the court. The court would decide your case. If it agreed with you, it would decide whether the organisation would have to pay you compensation and how much.

The Prospects of a Successful Data Protection Breach Claim

Data can either be breached through reckless care and storage of your data, for example not password protecting documents or sending your data to the wrong party, or losing data, as well as through more targeted hacks and data thefts by cybercriminals.

At Forbes Solicitors, we do consider claims for sending out sensitive data to the wrong person, such as medical records, financial information or other data considered to be sensitive, which could cause damage to your reputation or affect your safety

As a rule, we do not deal with claims for:

Theft of data and cyber-criminal hacks.
Pure loss of data unless it has turned up elsewhere in the public domain and the organisation is unable to show a procedure for destruction.
Subject Access Requests or failures to provide data.
Cases where the value of the claim is minimis (see below) and are at risk of being placed into the small claims court where legal costs are not generally recoverable.

The De Minimis Principle

The distress caused by the breach is the focus when considering compensation for a breach of GDPR. If distress suffered is deemed to be minimal and short lived, the De Minimis principle may apply, limiting or even removing the eligibility for receiving compensation that may have been available. Examples can include a one-off breach that does not involve sensitive personal data which is quickly resolved.

The De Minimis principle is a formulation of a quantitative or qualitative threshold below which notification of a personal data breach is not mandatory, because the risk to the rights and freedoms (including the respect for private life and family life) of data subjects will be negligible.

There will be instances where even where a person is notified of a breach, it does not meet the threshold of seriousness. It might be described as 'negligible'.

The Compensation

Factors considered which are likely to justify an award of compensation and the likelihood legal costs will be recovered can be as follows:

How much of your data was shared and how sensitive it is e.g., financial, medical, or other sensitive data that could be damaging or put an individual at risk or affect their safety.
How did the breach affect you? What affect did it have on your health, lifestyle, work, and relationships? Was it significant enough for you to report it to your doctor?
Has the breach recurred?
What has the organisation done to correct the breach once it became aware of it?
What have been the actual repercussions?

Factors that may adversely affect compensation could include the following:

Was it information already in the public domain, such as your email and name? It may be that your address can be obtained on the electoral roll.
Was the breach a one off?
Was it a quickly remedied?

If answers to the above factors are minimal, for example, the data was not sensitive data, and the breach hasn't affected your health, lifestyle, work, relationships, and the organisation has taken steps to correct the breach once they became aware of it, then the De Minimis principle may apply. This means that there will be effectively 'no/minimal loss' or 'no/minimal distress' caused and therefore no basis for an award of compensation, and therefore pursuing a claim against the organisation would not be economical.

The claimant must prove their claim and provide evidence of distress.

Case Study Examples

Details of a current address have been sent to an ex-partner who had subject the claimant to domestic violence. The claimant may have been forced to have CCTV fitted for safety or move address. They may have had to visit their doctor and seek counselling.
Medical records are disclosed to the wrong person and accessed. The disclosure has led to a mental breakdown, loss of employment or attempted suicide.
Financial information has been sent to the wrong person causing distress.

In essence, we specialise in getting compensation for individuals where the wrongful disclosure has significantly impacted their lives.

If a claim is pursued by commencing court proceedings, the amount of compensation awarded will be assessed by the judge hearing the case, who will take into account all the circumstances. This will include how serious the infringement was and its impact on you, particularly when assessing the distress you have suffered.

Depending on the severity of the case

To be successful, you must demonstrate a breach that has caused some damage. It is not enough simply to have a breach. You must prove the distress and any loss. Medical records may assist along with documents and receipts to prove other financial loss.

If the claim court proceedings become necessary the court will look at the complexity and value of the case and decides which 'track' to place it in. If it is allocated to the small claims track because it is of limited value and complexity neither party will be recovering their costs, only their reasonable disbursements if they win.

When a case is placed in a higher track the court should award costs to you if you win. It can also award costs against you if you lose. Those costs can be significant. We should be able to get insurance to cover those costs. If you win the insurance premium is usually recoverable from the other side providing the terms of insurance have been followed and the case involves the misuse of your private information or breach of confidence. Insurance is available for pure GDPR claims however the premium is not recoverable and would have to be paid out of damages.

For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Data Breach Claims department here

Inheritance Tax and Making Lifetime Gifts

The Risks of Unregulated Providers in Divorce