Stadler v Currys

The Case

The claimant (Mr Stadler) had purchased a TV from Currys in 2016. He then had cause to return the TV for repairs, but before doing so he did not log out of the various apps, he had installed. The defendant (Currys) were unable to fix the TV, and as it was not economically viable to repair, compensated the claimant with a new TV. The defendant then sold the original TV to another customer without first resetting it to its factory setting. Movies were then purchased by the new owner using the claimant's Amazon Prime account. A complaint was made by the claimant and the defendant reimbursed the losses and provided a £200 voucher as a gesture of goodwill.

The claimant then brought a claim against the defendant for misuse of private information and breach of confidence, claiming compensation of £5,000 for alleged breaches of Article 82 of the UK GDPR and Sections 168 and 169 of the UK Data Protection Act 2018.

The defendant challenged the claim because the claimant had already been compensated in full for his distress and that the claims for MPI and BoC had no reasonable prospect of success. The defendant also applied for summary judgment.

Outcome

His Honour Judge Lewis struck out Stadler's claims for MPI and BoC, stating that the claims were "fundamentally flawed". He ruled that in passing the TV to Currys (a third party), the claimant was not making use of the data or information at the time of the breach, and it must follow therefore that there could not have been any unauthorised misuse of the information by them.

The conclusion reached in this case seems to be in keeping with the ruling applied by Mr Justice Saini in Warren v DSG and reaffirms the position that data controllers will not be held directly liable for MPI or BoC when the positive action alleged to have amounted to the breach is carried out by an unknown third party. The defendants' failure to wipe the claimant's information from the TV before reselling it on was not a 'positive action' concerning the affected data. It could not, therefore, amount to misuse of that data. In theory, it would be the person who subsequently bought the TV who would be liable for the misuse of the data. The judge also reiterated that the High Court was not the right forum for low-value data breach claims to be heard.

The Context

The number of low-value data breach claims issued against data controllers in the High Court has grown exponentially in recent years, with the majority of these cases being brought before the Media and Communications List, a specialist branch of the High Court. The consensus appears to be that the recoverability of legal costs and disproportionate ATE policy fees is likely to be driving the trend of issuing in the High Court.

It should be noted however that HHJ Lewis did allow the claimant's claim for breach of data protection legislation to continue, as he considered that it did have reasonable prospects of success. He dismissed Currys' arguments that the alleged breach was too trivial to give rise to a claim for damages and provided a reminder, and clear illustration, of the fact that the triviality threshold in data breach claims applies to the breach itself and not to the level of damage suffered.

HHJ Lewis transferred the case to the County Court to be dealt with in a manner proportionate to its value and, in so doing, made it plain that although he considered that the claim should not have been issued in the High Court, it still passed the threshold of seriousness and should now be heard in the County Court. It remains to be seen what track the case is allocated to.

Compensation for distress can still be recovered where an organisation accidentally or mistakenly releases personal and sensitive data. Here at Forbes Solicitors, we act for individuals who have suffered distress as a result of data breaches where their sensitive data has been released by mistake.