16th February 2022
Walker Morris’ data breach litigation experts Gwendoline Davies, Nick McQueen, and Jack Heward look at the latest in a recent run of cases dealing with low value data breach claims and consider the court’s further guidance in this area.
Click here for our practical advice about how organisations can proactively protect themselves against the risk of data breach litigation.
The decision in Stadler v Currys Group Ltd  is consistent with the courts’ approach to giving short shrift to low value, unmeritorious or exaggerated claims – a welcome trend for data controllers.
This was a low value consumer dispute about responsibility for the security of data stored on a smart television when the claimant returned it to the defendant retailer for repair. The defendant offered to write it off and compensate the claimant with a voucher, which the claimant accepted. The defendant sold the television on without performing a factory reset or data wipe. A movie was subsequently purchased by someone using the claimant’s Amazon account through the television. The defendant swiftly reimbursed the claimant £5 for the £3.49 purchase and contacted him again two days later to make sure he had changed his passwords for Amazon and any other apps. A week later a £200 shopping voucher was provided as a goodwill gesture.
The claimant brought proceedings seeking damages (including aggravated and exemplary damages) up to £5,000 for: misuse of private information; breach of confidence; negligence; and breach of data protection law . He also sought an injunction requiring the defendant, if it continued to process his personal data, to act in accordance with the requirements of the UK GDPR and the Data Protection Act 2018. He also sought a declaration that by processing his personal data the defendant had breached Article 5(1) of the UK GDPR, which sets out the principles relating to the processing of personal data.
The claimant pleaded that the personal data and private information that was compromised included his name, the account details for several apps and/or accounts including Amazon Prime, Sky, Netflix, Disney Plus and BT; and payment details in respect of those accounts.
The defendant applied to have the claims struck out and/or summarily dismissed.
The judge dismissed all of the claims apart from the data protection claim, although he made very clear that it should have been brought in the County Court and not in the High Court. Further factual information was needed to evaluate the extent of the defendant’s duties to the claimant under data protection law, in particular concerning what was said between them when the television was handed over and when it was agreed it would be scrapped, and what terms and conditions applied to the repair and subsequent disposal.
The data protection claim had a reasonable prospect of success. On the basis of the claimant’s account of events, it seemed that the defendant would or should have been aware that there was personal data on the television, and it was certainly arguable that it had duties as a data controller, particularly if at any point it became the owner of the television. If the defendant was a data controller, then it would have been under data protection duties in respect of the disposal of data, which is a form of processing. These were matters to be considered at a final hearing – they were not appropriate to be determined on a summary basis.
The following legal and practical points arose in this case:
Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, and the experience of our multidisciplinary Technology & Digital Group, ensures that an informed and robust strategy can be adopted.
As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.
If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact Gwendoline, who will be very happy to help.
  EWHC 160 (QB)
 Article 82 of the UK GDPR provides the right to compensation from the data controller or processor for material or non-material damage suffered as a result of an infringement. Non-material damage includes distress.
 See our briefing on the Supreme Court’s decision in Lloyd v Google
 See our briefing on Johnson v Eastlight Community Homes
 See our briefing on Warren v DSG Retail
(FCIArb) Head of Commercial Dispute Resolution