Two More Nails in the Coffin for Opportunistic Data Breach Claims
Following on from a string of cases in 2021 concerning minor data breaches (see our earlier article here), two further cases in Q1 of 2022 have continued the trend of High Court scepticism. Such compensation claims, usually involving multiple causes of action, often find themselves trimmed down and sent to the County Court, if not struck out entirely.
In our review below, we shed some light on the judiciary’s attitude towards opportunistic claimants.
Condemnation of the “kitchen sink” approach – William Stadler v Currys Group Limited  EWHC 160 (QB)
Whilst claimants continue to pile up multiple causes of action in data breach compensation cases, presumably, in the hope of increasing their prospects of a successful recovery, this approach appears to have the opposite effect, as the claimant in this case discovered.
Mr. Stadler purchased a Smart TV from Currys in September 2016. Mr. Stadler logged into various apps, including Amazon Prime, but returned the TV to Currys in September 2020 for repair. Mr. Stadler was not asked to wipe the data from the TV before returning it and did not log out of any apps before leaving it with Currys. Repairing the TV was considered too costly, so Currys wrote it off and sold it to a third-party company without having wiped the data from it. Someone subsequently purchased a film from Stadler’s Amazon account.
Mr. Stalder telephoned Currys, who reimbursed him for the cost of the film and ensured that he had logged out of all apps and changed the password. Currys also gave Mr. Stadler a £200 shopping voucher as a gesture of goodwill. Nonetheless, Mr. Stadler went on to issue proceedings, alleging misuse of private information, breach of confidence, negligence, and breach of data protection laws (Article 82 of the UK GDPR and the Data Protection Act 2018). He claimed aggravated and exemplary damages up to £5000, as well as an injunction requiring compliance with the data protection law in question and a declaration that the data processing had breached Article 5(1) of the GDPR.
Currys applied for a strikeout on the basis that Mr. Stadler had no reasonable grounds for making a claim, pointing out that he had already been compensated and that it would be an abuse to allow him to proceed with costly litigation in such circumstances.
The judge found that Mr. Stadler had not pleaded his case adequately – the confidential information in question was not properly identified, nor was the obligation of confidence, and it was unclear what constituted the alleged misuse given that Currys had not taken any positive action to leak the data and in fact had no actual knowledge of the misuse of the data. A failure to wipe the device was insufficient for either a breach of confidence or misuse of private information claim. Mr. Stadler’s negligence claim failed because there was no actionable harm; Currys had already reimbursed Mr. Stadler financially and distress was insufficient for negligence without a resulting recognized psychiatric illness. In addition, there was no need to impose an additional duty of care when data protection legislation already imposed an adequate duty.
As such, the judge only allowed the claims under data protection legislation to continue and struck out the claims for misuse of private information, breach of confidence, and negligence. The judge was heavily critical of Mr. Stadler’s strategy, saying that these multiple causes of action ‘increased the complexity of the proceedings unnecessarily’, and that it was “difficult to understand on what basis the claimant could have sought to recover aggravated and exemplary damages, nor the purpose of the injunction” and that “[T]hese claims appear wholly misconceived and without merit”.
Directing the remaining data protection legislation claim to be transferred to the County Court (in keeping with previous recent decisions in data breach cases, see our earlier article on this here) he commented “This is a very low-value claim. Consumer disputes of equivalent complexity are heard every day in the County Court on the small claims track and do not need to be dealt with by a High Court Judge.”
There now appears to be a general consensus among High Court judges that minor data breach cases are well suited to the County Court and capable of being dealt with on the small claims track. This recognition may, in time, lead to a reduction of small data breach claims being brought on a no-win, no-fee basis given the limited ability to recover legal costs in the small claims track arena.
Sympathy only gets you so far – Underwood & Anor v Bounty UK Limited and Hampshire Hospitals NHS Foundation Trust  EWHC 888 (QB)
Even for claimants with whom the judge sympathizes, a sense of proportionality is applied. This claimant had even less success than Mr. Stadler and was not allowed to proceed with the data breach claim at all.
The first defendant, in this case, Bounty UK, was a ‘pregnancy and parenting support club’, providing expecting and new parents with information packs and other services, and (until 2018) supplying data to third parties for electronic direct marketing. Bounty had previously been investigated by the Information Commissioner’s Office (“ICO”) in 2017 and 2018 in relation to its practice of collecting records of parents’ full name, date of birth, email address, postal address, pregnancy status, and status as a first-time mother, along with the name, gender, and date of birth of their baby. These records were then shared with 39 organizations based on consent allegedly received during the registration process. The ICO held that this consent was not informed and that data subjects could not have foreseen that their data would be shared with third-party organizations, and Bounty was therefore fined £400,000. As the judge put it in paragraph 11 of the judgment, ‘Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties.’
Bounty had a distribution agreement with the second defendant hospital to enter and distribute “Bounty Packs” to new mothers, as well as provide a photography service. These services would encourage new mothers to sign up on the Bounty app, enabling Bounty to sell their data onwards. The hospital terminated its agreement with Bounty following the ICO investigation. The events of Underwood took place prior to this termination.
The claimants were a mother who had given birth in the second defendant's hospital and her child. The mother had signed up on the Bounty app, which would have required her to provide her name, hospital number, and address. A Bounty representative approached the claimants at their hospital bedside shortly after the birth in a way that was unwelcome to the mother. Later on, the mother received random telephone calls and emails from third-party companies and suspected Bounty of having passed on information about herself and her newborn child, most likely obtained by looking at documents at the end of the hospital bed.
Proceedings were issued and general, aggravated, and exemplary (i.e punitive) damages were claimed for breach of the Data Protection Act 1998 (“DPA 1998”)and/or misuse of private information. The mother accused Bounty of accessing data about herself and her child from medical information at the end of the bed and also accused the hospital of allowing this to happen.
As Bounty had subsequently gone into administration, the subject of the trial was whether or not the hospital was liable for the obtaining by Bounty of the information/data and, therefore, the breach/misuse.
The judge concluded that the hospital was not liable for the Bounty representative’s unauthorized access to the information. As in Stadler (above) and Warren v DSG (here), there was no “misuse” of the information because the information was obtained without the hospital’s consent or knowledge, Bounty having signed up to a Code of Conduct imposed by the hospital which emphasized the need to respect expectant mothers’ privacy. There was also no “processing” of data by the hospital in contravention of the DPA 1998 and a suggestion that the hospital had failed to take appropriate technical and organizational measures to prevent unauthorized access to the medical charts at the foot of the bed was rejected on the grounds that this would impose an inappropriate and unnecessary requirement for all patient data to be strictly withheld when access to it was needed so that the hospital could carry out its function of providing medical care. Both the claim for misuse of private information and the breach of the DPA 1998 were therefore dismissed, the ‘real wrongdoer’ being Bounty rather than the hospital.
Whilst the judge stated that he appreciated the decision would be a ‘disappointment’ for the Underwood family and could ‘certainly understand’ why they felt that their data had been exploited, he also made two further comments which, albeit obiter, will undoubtedly prove useful to those seeking to reject compensation claims in respect of minor breaches. First, he considered that even if the hospital had been liable, the actual data which was accessed unlawfully by Bounty in the hospital (i.e. the baby’s name, gender, and date of birth) was not serious enough to engage the tort of misuse of private information. Second, and in terms of the remedy sought, he stated that it is ‘never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant’s conduct, or as some sort of negotiating strategy’.
This case, therefore, shows that even in situations creating great emotional sympathy for the claimant, unauthorized access of data by a third party does not automatically lead to a successful claim against the data controller – although the obiter comments about Bounty suggest that the outcome would be different if the claim was brought against the third party wrongdoer.
Provided that appropriate organizational and technical measures are in place, data controllers can now be relatively comfortable that the High Court will continue to treat opportunistic data breach claimants with suspicion. Claims that throw in unnecessarily numerous causes of action and claim damages for vague losses that do not amount to a recognized psychiatric illness are likely to be, at worst, banished to the County Court small claims track, or at best struck out entirely.
Grace Walker also contributed to this report.