+44 (0)20 7421 8000
36 Bedford Row
London, WC1R 4JH
Read Our COVID-19 Update Here
Commercial News

Damages & Distress: data protection leaks in court

12th April 2022

First published in New Law Journal - March 2022

The UK courts have been exploring the limits of litigation brought by or on behalf of data subjects where there has been unlawful transmission or disclosure of personal data.  Fergus McCombie of 36 Commercial surveys the state of play.

In brief:
The UK courts have shown a willingness to analyse damages and procedural matters in low-level data protection claims along traditional English law lines.
There are challenges to that approach where there has been mere loss of control of personal data.

This article considers cases of deliberate or inadvertent access gained by third parties, other than the controller or data subject, to personal data.

What types of claim can be brought?

In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) Saini J considered a claim of low value brought against Dixons Carphone (“DSG”) arising from a cyber attack, perpetrated in 2018, by which the attackers gained credit card and other personal data.  The ICO had already issued a monetary penalty notice in the sum of £500,000.  A private claim was brought by one victim in misuse of private information (“MPI”), breach of confidence (“BoC”), breach of the Data Protection Act 1998 and negligence.

In granting DSG’s application for strike out / summary judgment of the MPI, BoC and negligence claims, the judge held (at [22]) that: “neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential).  Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.  Counsel for the Claimant submitted that applying the wrong of MPI on the present facts would be a ‘development of the law’. In my judgment, such a development is precluded by an array of authority.”

In respect of negligence, there is older authority to the effect that there is no duty of care in conduct covered by the data protection legislation (Smeaton v Equifax plc [2013] 2 All E.R. 959).  In respect of MPI, the judge added (at [27]):

“I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action.”

Claims for damages

Next, Lloyd v Google LLC [2021] UKSC 50 (10 November 2021) decided that damages for mere loss of control of personal data are not available for breach of the Data Protection Act 1998, even if the cause of action is expressed in an MPI claim.

Lloyd is worth a recap.  Between August 2011 and February 2012, Google is alleged to have installed software on Apple iPhones (the “Safari Workaround”) which allowed Google to track website visits and facilitate targeted advertising.  Mr Lloyd brought a representative action under CPR 19.6 on behalf of all those affected, backed by significant litigation funding.  The use of the representative action procedure required a class of persons having “the same interest” in the claim, which was said to be the loss of autonomy or loss of control suffered by all in the class, in a uniform manner.

The Supreme Court (Lord Leggatt) pointed out that the remedy of damages itself relied upon an individualised compensatory assessment, requiring the participation of a claimant in the proceedings (para.80).  This limited the scope for the remedy of damages in a representative action.  It would have been permissible to adopt a “bifurcated approach”, whereby the representative action sought a declaration as to breach, and an individualised assessment of loss and damage followed for every claimant.  However (presumably) that would not have led to a return for the funders.

Against that background, the Court considered that s.13 of the Data Protection Act 1998 did not give an individual a right to compensation without proof of material damage or distress (para.115).  There was no requirement of EU law to that effect.  That could be contrasted with a claim for MPI, where damages for mere loss of control are available (see e.g. Gulati v MGN Ltd [2017] QB 149).  Further still, even if damages for mere loss of control had been available under the DPA, there would still have been a need to demonstrate the extent of unlawful processing in the individual case, which again would have negated a representative action (para.144).

It is of course true that both Warren and Lloyd were decided under the 1998 Data Protection Act, and indeed in Lloyd the Court specifically disavowed any view as to the applicability of the GDPR or Data Protection Act 2018 (para.13).  Whether the position is any different under Article 82 of the UK GDPR is one of the issues in the TikTok case (see below).

Interestingly, the District Court of Munich has recently awarded a claimant 2,500 Euros in damages on the basis not that their personal data had been used to commit fraudulent activity, but that there was a possibility that it would be so used in the future (9 December 2021, Case no.31 O 16606/20).  This is part of a current controversy over the scope of EU GDPR Article 82, in respect of which preliminary rulings from the CJEU on applications from Germany and Austria are awaited.  The Munich case concerned a cyber attack on a financial institution resulting in theft of the customer’s data – so on the facts, similar to the Warren scenario.  It remains to be seen what implications, if any, the developing EU Article 82 jurisprudence might have for the UK GDPR.

Procedural limitations on nuisance value claims

In the meantime, the courts have been doing their best to put nuisance claims firmly in their procedural place.

In Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809 (QB), a letter demanding the payment of school fees was sent by email by mistake to a person with an almost identical address to that of the mother.  The actual recipient responded promptly and deleted the message … and the family brought a claim for damages in the High Court.

In granting summary judgment, the Master relied on the “inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’.  There is no credible case that distress or damage over a de minimis threshold will be proved.”

Where the court has been able to identify factors against summary judgment or strike out, the result has been to transfer to the county court.

In Johnson v Eastlight Community Homes [2021] EWHC 3069, a compilation of rent statements was mistakenly sent out.  The claim for distress was that the claimant’s information “would somehow become known” to her former partner.  She filed a precedent H totalling in excess of £50,000.  The claim was transferred to the county court on the basis that damages appeared to be extremely low as opposed to falling below a de minimis threshold as in Rolfe.

Similarly, in Ashley v Amplifon Ltd [2021] EWHC 2921 (QB), Kerr J held that the factual matters to be resolved justified a transfer, probably to the small claims track, so that the defendant could not “rid itself of the action in a manner that prevents its disclosure obligations from arising.”

Claimants’ attempts to justify issuing in the High Court sometimes rely on a narrow reading of CPR 53.1(2) to the effect that where a “media and communications claim”, including a claim for MPI or in data protection, is issuable in the High Court.  This is a false reading given that CPR 53.1(3) makes it clear that the relevant causes of action still have to constitute “a High Court claim“.

The High Court has now grappled with the issue head on in Stadler v. Currys Group Limited [2022] EWHC 160 (QB).  When the claimant went to repair their TV, Currys advised against it on the grounds of disproportionate cost.  Currys sold the TV on to a third party without wiping the claimant’s data.  In 2020 a movie was purchased by the new owner using the claimant’s Amazon account through the smart TV.

A High Court claim was brought for up to £5,000 for MPI, BoC, negligence and breach of the UK GDPR and the 2018 DPA.  The DPA claim alone remained after the judge struck out the other claims by application of the various principles explained above.  The extent of the breach of statutory duty remained to be assessed, and the breach, although of low value, did not appear to fall foul of the de minimis principle.

As to allocation, the judge issued a reminder of the CPR PD7A 2.4 criteria which are required to be satisfied if the claim is to be dealt with in the High Court. 

if by reason of:
(1) the financial value of the claim and the amount in dispute, and/or
(2) the complexity of the facts, legal issues, remedies or procedures involved, and/or
(3) the importance of the outcome of the claim to the public in general,
the claimant believes that the claim ought to be dealt with by a High Court judge.

These factors should be regarded by practitioners as dictating the correct forum, with a healthily objective approach rather than an over-reliance on the belief of a claimant.

TikTok - countdown to the future

Judgment in various procedural matters in SMO v TikTok Inc. and Others [2022] EWHC 489 (QB) was handed down on 8 March 2022.  A summary judgment application will be heard in the coming months.

SMO is a minor acting through her litigation friend, the former Children’s Commissioner for England.  She has brought a claim as a representative under CPR 19.6, being the same route as that of Mr Lloyd.  She alleges data protection breaches and MPI by the TikTok platform of (essentially) UK and EEA child users and account holders.

Due to the fact that various of the defendants are based outside the jurisdiction, one of the applications recently heard by Nicklin J was whether the representative claim had any real prospect of success in the light of Lloyd, so as to allow for service outside the jurisdiction.

The claimant argued that Lloyd was distinguishable on a number of grounds, including the fact that it had not been decided under the UK GDPR and the Data Protection Act 2018, that the UK GDPR required “non-material” damage to encompass “loss of control”, that the class of claimants was comprised of children who actually used TikTok at the material time, that there was an MPI claim, and that there was intrusive processing of personal data leading to any de minimis threshold being crossed (paras 42-44).

Importantly, only the UK-based TikTok entity was heard, out of 6 defendants.  That was a powerful factor leading to the judge’s conclusion that permission to serve out of the jurisdiction should be given, so that argument about summary judgment in the defendants’ favour could be heard in the future with the benefit of submissions from all sides.

The summary judgment application will have to engage with Lloyd and the hurdles that arose in that case in respect of the representative class action and the effect of the non-availability in English law of mere loss of control damages.  For reasons that can easily be seen from the strictly domestic cases referred to in this article, the arguments have the potential to reverberate within the UK as well as around the world.

Related Barristers