Over the last couple of years, the High Court has been sceptical of low-value compensation claims for minor data breaches (see our previous articles here and here). Such scepticism is illustrated by the High Court:

1. criticising the “kitchen sink” approach adopted by claimants who bring overly complex claims with multiple causes of action and narrowing the scope of claims by dismissing misuse of private information and breach of confidence claims as in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) and William Stadler v Currys Group Limited [2022] EWHC 160 (QB);

2. transferring straightforward, low-value data breach claims to the County Court as the most appropriate court to hear the claim as in Warren v DSG Retail Ltd, Johnson v Eastlight Community Homes Ltd, Ashley v Amplifon Limited [2021] EWHC 2921 and William Stadler v Currys Group Limited; and

3. condemning data breach claims for damages when there is little to no harm or the harm claimed has no prospect of meeting the de minimis threshold for receiving damages as in Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB).

A recently published case in England and the Opinion of EU Advocate General, Campos Sanchez-Bordona, on UI v Österreichische Post AG in October 2022 have given further support to the approach of the High Court, although the traffic has not been all one way as the High Court decision in Driver v Crown Prosecution Service [2022] EWCH 2500 (KB) departed slightly from this emerging line of judicial thinking.

We take a closer look at these three cases below and provide you with some key takeaways.

The County Court is the best forum for straightforward, low-value data breach claims ^[1]

A case heard in November 2021, but only recently published, has provided a further blow to claimants seeking to push simple, low-value data breach claims into the High Court through multiple causes of action.

The facts of this case were common and straightforward. The defendant’s employer inadvertently emailed a letter intended for one of its employees, the claimant, to one of his colleagues.

The claimant subsequently brought a claim against the defendant employer for breach of data protection legislation, misuse of private information and breach of confidence.

Before considering the claimant’s reasons why the claims should be heard in the High Court, the judge questioned a section of the claimant’s original letter of claim. The letter stated that if arguments were put forward by the defendant that the matter should be heard in the small claims track, the claimant reserved the right to claim for aggravated damages.

The judge said that this amounted to “making a threat to attempt to dissuade the Defendant from seeking to have the claim allocated to the small claims track.” The judge lamented this approach as “inappropriate and without foundation.” These obiter comments act as a warning to claimant solicitors that they should not attempt to threaten or discourage defendants from making arguments as to the procedural allocation of a case.

The claimant provided the following reasons why these claims should be heard in the High Court:

1. the nature of the data breach claims fell within the scope of the specialist Media and Communications List;

2. the equitable breach of confidence claim fell outside the limited equity jurisdiction of the County Court; 

3. the “highly-specialised nature of the causes of action” requires a specialist judge; and

4. the data breach claims related to “a developing area of the law.”

The judge rejected these reasons as he found the case was not complex and did not need a specialist judge. Additionally, in straightforward cases like this, where there was no real factual dispute, the judge emphasised there is little value in the claimant complicating the claim by including additional claims for misuse of private information or breach of confidence. This stance is supported by the High Court decisions in Johnson v Eastlight Community Homes Ltd and William Stadler v Currys Group Limited, which also criticised the “kitchen sink” approach used by claimants in those cases.

The judge was also heavily critical of the claimant’s anticipated legal costs when he said, “no ordinary litigant would incur costs approaching GPB £50,000 in order to recover GBP £3,000. The likely irrecoverable costs would almost certainly exceed the sum that Mr. Cleary was claiming in damages. In that respect, litigation of his claim in the High Court makes no sense for Mr. Cleary.” His comments on costs reinforced the decision in Johnson v Eastlight Community Homes Ltd, where the judge threw out claims for breach of confidence and misuse of private information partly because of the unreasonable costs that had been incurred and budgeted for. 

The judge, therefore, concluded that this case should be transferred to the County Court as there was little by way of factual dispute, the legal issues were not complex, so could be considered without the need for a specialist judge and the anticipated costs were disproportionate to the amount of damages claimed. He acknowledged that the effect of the courts routinely allocating small data breach cases to the County Court might mean that claimants might find it difficult to find lawyers to represent them, particularly if cases were allocated to the Small Claims Track, which has limited costs recovery, but considered that this wider policy issue should not ultimately affect the decision as to the proper allocation of a claimant’s claim.

“Mere upset” not enough opined Court of Justice of the EU (“CJEU”) Advocate General – Opinion of Advocate General Campos Sanchez-Bordona on UI v Österreichische Post AG^[2]

The Opinion of EU Advocate General Campos Sanchez-Bordona, delivered on 6 October 2022, was welcome news to EU defendants in data breach claims because it firmly placed the onus on claimants to prove data breaches caused harm and that the harm was more than “mere upset.“

In this case, a postal company (the defendant) was collecting party affinity data for the Austrian population (including that of the claimant). An algorithm was utilised by the defendant to define ‘target group addresses’ for election advertising and they extrapolated the party affinity data received to determine the claimant’s classification within the possible target groups.

The claimant had not consented to his personal data being processed and proceeded to make a claim against the defendant for non-material damage under Article 82 General Data Protection Regulation (“GDPR“). He sought compensation of EUR €1,000. The claimant said that the political affinity attributed to him was “insulting and shameful, as well as extremely damaging to his reputation.”

The claim was dismissed by the first-instance court in Austria and the appellate court agreed with the first-instance decision. The claimant appealed to the Austrian Supreme Court of Justice, who referred multiple questions to the Court of Justice of the European Union. The pertinent questions that the Advocate General responded to are as follows:

1. “Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation? Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?”

In response to question 1, the Advocate General determined that compensation is only available under Article 82 GDPR if the applicant can demonstrate that an infringement of the provisions of the GDPR caused damage. Regarding question 2, the Advocate General differentiated between “mere upset,” which is not eligible for compensation, and “genuine non-material damage,” which is eligible for compensation.

The Advocate General’s opinion aligns with the English decision Rolfe v Veale Wasbrough Vizards LLP, in which the judge summarily dismissed the claim after finding that a minor data breach did not cause credible harm to the claimant nor could the claimant demonstrate the harm claimed was above a de minimis threshold for a damages award.

Damages awarded for a data breach “at the lowest end of the spectrum” – Driver v Crown Prosecution Service [2022] EWCH 2500 (KB)

This October 2022 decision certainly came as a surprise in light of the recent trend of High Court decisions on low-value data breach claims, but the content of the data breach may explain why.

A Crown Prosecution Service (“CPS“) solicitor sent an email to a member of the public in June 2019 about a potential charging decision relating to Operation Sheridan (a high-profile police investigation into alleged misconduct in Lancashire and Liverpool local councils) in which Mr. Driver was a suspect.

Mr. Driver initiated proceedings against the CPS in the High Court for a breach of the UK Data Protection Act 2018 (the “DPA“), a misuse of private information and infringement of his rights under s.8 Human Rights Act 1998 (the “HRA“).

The judge, rather than send the matter to the County Court for determination as had happened in numerous other simple, low-value data breach cases, decided to rule on the matter. He determined that the CPS processed Mr. Driver’s personal data in the email it sent because “it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision.” The judge found this breached the DPA and, as such, was unlawful because there was no need to provide this information to a third party. 

However, the judge rejected the claims for misuse of private information and breach of s.8 HRA. The judge concluded that Mr. Driver had waived his right to privacy when he identified himself publicly as being “a target of Operation Sheridan” in March 2016.

As the data breach was “at the lowest end of the spectrum” and caused a “modest degree of distress,” the judge awarded damages of GBP £250 to Mr. Driver.

Despite the simplicity of the breach and low damages award, the High Court judge did not explain why he chose not to send this case to the County Court. Nevertheless, the only clear difference between this case and other similar low-value data breach claims appears to be the content of the data breach, which pertained to a high-profile criminal investigation.

Key Takeaways

1. High Court judges remain unimpressed by claimants overcomplicating simple data breach claims and seem likely to either send these claims to the County Court or dismiss them entirely. The approach in Driver v CPS appears to be an anomaly, possibly due to the content of the data breach, which is related to a high-profile criminal investigation.

2. Although obiter, defendants have been given some comfort by the fact that they can present arguments as to the appropriate court allocation of a case without the fear that claimants will seek aggravated damages from them if the case is allocated to a lower court.

3. The model used by many claimant solicitors of pursuing low-value data breach claims by way of conditional fee agreements and after the event insurance may be under threat if cases become routinely dealt with by the County Court Small Claims Track. If this happens, then it is likely to lead to a reduction in low-value data breach claims generally.

4. From an EU perspective, the Advocate General’s Opinion could well reduce the number of vexatious data breach complaints in the EU where there is no damage or where the damage claimed is insignificant, although it remains to be seen whether the CJEU itself will follow the Advocate General’s Opinion.

FOOTNOTES

^[1] Cleary v Marston (Holdings) Ltd [2021] EWHC 3809 (QB)

^[2] Case C-300-21