09 June, 2022
Although it still remains unclear as to what the tariff for compensation should be, where the de minimis threshold for a data breach claim is satisfied, it is clear to see that the High Court are taking a firm stance on imposing restrictions on low value cases, making them disproportionate to bring, and less viable to fund.
Two further recently decided cases have re-affirmed this stance.
Johnson v Eastlight  EWHC 3069
This case centred around information about the Claimant (who was a tenant of the Defendant), which was sent in error to another tenant. The information was essentially anodyne, consisting only of the Claimant's name, address and rent payments made.
On receiving the information the incorrect recipient informed the Defendant immediately and was asked to delete the email. The incident was then reported to the Claimant and also to the Information Commissioner's Office, who opted to take no further action.
The Claimant issued proceedings in the Media and Communications List of the High court for breach of confidence, negligence, Misuse of Private Information (MPI), breach of Article 8 of the European Convention on Human rights and a breach of the Data Protection Act 2018, seeking damages for distress limited to £3,000. The Claimant's Solicitors estimated costs to Trial were budgeted to be in excess of £50,000.
The Defendant applied for summary judgment of the claim on the basis of disproportionality and the de minimis (Jameel) principles
The court decided that the claims for breach of confidence, MPI and breach of Article 8 added nothing to the data protection claim, and those claims were struck out. The surviving data protection claim was then transferred to the Small Claims Track of the County Court, stating that the commencement of the claim in the High Court had been an abuse of process.
Ashley v Amplifon Ltd  EWHC 2921 (QB)
In this case the Defendant sent the Claimant's employment contract to another employee by mistake. That employee then informed the Claimant direct, who then notified the Defendant. The Defendant then asked the employee to delete the email immediately. However the Claimant was never told about this. The Claimant's case was that he was not updated about the steps the Defendant had taken to delete the email, until he received the Defendant's Defence to the claim 14 months later. The Claimant contended that it was this failure to keep him updated that had added to his distress.
The Claimant issued proceedings in the High Court for a breach of the UK GDPR, misuse of private information (MPI), breach of confidence and negligence.
The Defendant applied for summary judgment to strike out the claims on the basis of disproportionality, in that only very minimal damages would be awarded even if the claim was successful, and that the court should not allow the claim to proceed under the "de minimis principle".
The Judge struck out the claim for breach of confidence stating that it added nothing further to the GDPR and MPI claims. The Claimant also conceded that the negligence claim could not be pursued (following DSG v Warren). This left only the surviving claims for breach of GDPR and MPI.
The Judge then referred to previous case law, in that the application for strike out essentially hinged on whether or not there is a court process that could be used in a proportionate way to determine a low value data breach claim like this. The Judge then decided to transfer the GDPR and MPI claims to the County Court Small Claims track on the basis that it was not possible to determine without a full trial whether the de minimis principles applied.
It is clear to see that it is becoming more and more difficult to see how individual 'low value' claims for distress can now survive anywhere other than the Small Claims Track. The ability to recover the costs of bringing a claim in this track are severely limited and make any such claims practically uneconomical to run. Although, by the same principle, if Claimants are determined enough to pursue them, then the Defendants also face the prospect of irrecoverable legal costs.
These cases send out a stark warning to Claimants that if claims are to be brought, they will need to be exceptional and of significant enough value to give Claimants the best chance of remaining on a cost bearing track and recovering legal costs Going forward GDPR claims may also need to be constrained to compensation only for breaches of GDPR and MPI. The recent decisions suggest that the legal arguments need to be more focussed, and narrowed, to prevent them from being struck out. The issues in Ashley -v- Amplifon that played into the decision to allow the case to proceed in the County Court, was purely because the Court wasn't satisfied that the incident had been dealt with promptly by the Defendant. The claimant was not kept informed or re-assured throughout the process, emphasising that the courts will levy as much weight on how a Defendant responds to a breach, over how and why it occurred in the first place!
Although the above cases will be unhelpful to Claimant's Solicitors going forward, the judgments are helpful on providing clarity in this ever developing area of the law. Minor data breaches will undoubtedly continue to happen, and whilst in many cases the Courts will be inclined to dismiss opportunistic claims for what they are, there may be less sympathy for an organisation who does not deal with a breach in a timeous manner, or does not learn from its mistakes. The cases outline that while low-value data breach claims can still be brought, they must be simplified and seen in the County Court in order to control costs and comply with the overriding objective of the Civil Procedure Rules.
That said, data subjects are still entitled to have their data processed in accordance with the law, and the remedy of damages for distress is an important tool in holding data controllers to account when they fail to do so. However, any claims for distress should be brought in the appropriate forum, and at proportionate cost.
For a free initial consultation, or to receive any further information and guidance relating to the mishandling of data which may give rise to a possible civil claim, please contact a member of our Data Breach Claims Team on 01254 872111. Alternatively send any questions through to Forbes Solicitors via our online Contact Form.
For more information contact Lisa Atkinson in our Personal Injury department via email or phone on 01254 222448. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Personal Injury department here