The decision of Saini J in Warren v DSG Retail Limited may well have narrowed the heads of claim for claimants to rely on to bring these claims. Unfortunately for the defendants to such claims, the decision is not likely to have the same effect where there has been some “positive action” from the defendant, such as in the case of the infamous mis-sent email (as opposed to a malicious hack).
On more than one occasion, clients have remarked “the world has gone mad” when facing a claim following a seemingly innocuous, often entirely accidental, data security breach. These claims can be very challenging for defendants as there are a number of ways in which the claimant can make life very difficult; it is often not possible to deny liability and there is very limited guidance on the value of damages for such claims.
The claim is usually for breach of the individual’s personal data rights under the data protection legislation (UKGDPR and Data Protection Act 2018), but claimants will also often plead other causes of action such as breach of confidence (BOC), misuse of private information (MPI), negligence and breach of Article 8 of the European Convention on Human Rights (ECHR). This has the effect of making the claim more complex, increasing legal costs on both sides.
Many claimants take out after the event (ATE) insurance which pays out in the event that the claimant is ordered to pay the defendant’s costs. Typically, ATE insurance also covers the claimant’s disbursement costs (such as counsel’s fees) and is often combined with a conditional fee agreement with the solicitor – where all or part of the solicitor’s fee is payable only in specific circumstances (usually a defined level of “success”). The result is that in some types of cases an individual can bring a claim without any personal exposure to costs. BOC and MPI claims are among a very small number of claims where the premium associated with ATE insurance policies can still be recovered from the losing party as part of a costs award. This makes these claims attractive to claimants.
Warren v DSG was a claim that followed a malicious hack on the point of sale systems of Curry’s PC World and Dixons Travel (operated by DSG). The claimant alleged that his name, address, phone number, date of birth and email address had been lost in the malicious hack and as a result he had suffered distress. He brought claims under the data protection legislation, BOC, MPI and in negligence. The court struck out the MPI and BOC claims – crucial for the recovery of ATE insurance premiums – because those claims require a “positive action” from the defendant; there had been no “positive action”, instead a third party had infiltrated the defendant’s systems and taken the information.
The court also struck out the negligence claim on the basis that the claimant’s recourse against the defendant was under the data protection legislation and he had not suffered sufficient damage to bring a claim in negligence.
The decision, if followed by other courts, will remove some of the options for claimants seeking compensation following a data security breach. However, it does not remove the ability to claim BOC/MPI where there has been some “positive action” (such as a mis-sent email) and it remains the case that claimants are entitled to compensation for “non-material damage” caused by an infringement of the UKGDPR, which includes distress. This compensation is very difficult to quantify.
Claims following data security breaches are unlikely to dry up, and costs implications will remain a significant factor when responding to them. From the outset, it is important to think strategically about the likelihood of funding available to the claimant (for example, by bearing in mind that pre-action correspondence may be shared with insurers) and to be aware that the costs claimed by the claimant could far exceed the damages sought. This problem can become stark where the claimant has engaged solicitors on the basis they are paid only upon “success”, which could be triggered even by a nominal offer being accepted.
It may also often be possible to seek to strike out poorly pleaded claims (or parts of those claims) at an early stage in proceedings. This is also highlighted by another recent case, Ashley v Amplifon Ltd, in which the negligence and BOC parts of a data breach claim were struck out, with the remainder of the claim transferred to the small claims track. While the small claims track may well be the most appropriate place for certain claims, this has implications for costs too, as there is very limited ability for either party to recover costs from their opponent.
The Supreme Court gave judgment in Lloyd v Google LLC on 10 November 2021 (see our blog post).
The decision marks a crucial point in the development of the law on data protection by providing further clarity on types of claims and damages which may follow privacy incidents. The court held, amongst other matters, that a claimant must suffer some form of material damage (financial or otherwise) or distress, for a claim under the Data Protection Act 1998. Absent that, a “loss of control” of data does not entitle the data subject to claim damages. There is an important technical point in that Lloyd v Google LLC was decided under the ‘old’ Data Protection Act 1998 but the Supreme Court’s approach may well be followed for claims under the Data Protection Act 2018 / UK GDPR. Since this means the ability to claim damages depends on the facts of each individual case, with the individual proving actual loss, this may well make such claims less attractive to a funder. “Loss of control” damages may also still be available for MPI claims but following Warren v DSG Retail Limited, an MPI claim is likely to be unavailable to a claimant without some “positive action”.