Data breach litigation: Further court guidance on pursuing low value claims

16th February 2022

Walker Morris’ data breach litigation experts Gwendoline Davies, Nick McQueen, and Jack Heward look at the latest in a recent run of cases dealing with low value data breach claims and consider the court’s further guidance in this area.

Click here for our practical advice about how organisations can proactively protect themselves against the risk of data breach litigation.

What happened in this case and why is it of interest?

The decision in Stadler v Currys Group Ltd [1] is consistent with the courts’ approach to giving short shrift to low value, unmeritorious or exaggerated claims – a welcome trend for data controllers.

This was a low value consumer dispute about responsibility for the security of data stored on a smart television when the claimant returned it to the defendant retailer for repair. The defendant offered to write it off and compensate the claimant with a voucher, which the claimant accepted. The defendant sold the television on without performing a factory reset or data wipe. A movie was subsequently purchased by someone using the claimant’s Amazon account through the television. The defendant swiftly reimbursed the claimant £5 for the £3.49 purchase and contacted him again two days later to make sure he had changed his passwords for Amazon and any other apps. A week later a £200 shopping voucher was provided as a goodwill gesture.

The claimant brought proceedings seeking damages (including aggravated and exemplary damages) up to £5,000 for: misuse of private information; breach of confidence; negligence; and breach of data protection law [2]. He also sought an injunction requiring the defendant, if it continued to process his personal data, to act in accordance with the requirements of the UK GDPR and the Data Protection Act 2018. He also sought a declaration that by processing his personal data the defendant had breached Article 5(1) of the UK GDPR, which sets out the principles relating to the processing of personal data.

The claimant pleaded that the personal data and private information that was compromised included his name, the account details for several apps and/or accounts including Amazon Prime, Sky, Netflix, Disney Plus and BT; and payment details in respect of those accounts.

The defendant applied to have the claims struck out and/or summarily dismissed.

The judge dismissed all of the claims apart from the data protection claim, although he made very clear that it should have been brought in the County Court and not in the High Court. Further factual information was needed to evaluate the extent of the defendant’s duties to the claimant under data protection law, in particular concerning what was said between them when the television was handed over and when it was agreed it would be scrapped, and what terms and conditions applied to the repair and subsequent disposal.

The data protection claim had a reasonable prospect of success. On the basis of the claimant’s account of events, it seemed that the defendant would or should have been aware that there was personal data on the television, and it was certainly arguable that it had duties as a data controller, particularly if at any point it became the owner of the television. If the defendant was a data controller, then it would have been under data protection duties in respect of the disposal of data, which is a form of processing. These were matters to be considered at a final hearing – they were not appropriate to be determined on a summary basis.

What practical advice arises?

The following legal and practical points arose in this case:

• There were multiple deficiencies in the claimant’s pleadings. Claims proceeding in the Media and Communications List in the High Court must be conducted in accordance with Practice Direction 53B of the Civil Procedure Rules, which prescribes the matters parties are required to address in their pleadings.

• While the Practice Direction does not apply in the County Court, parties to such actions still need to plead their cases properly and would be well advised to follow the Practice Direction, regardless of whether they are required to do so.

• If the claimant’s pleading was correct, this could not be characterised as a trivial data breach given the nature of the information disclosed, and the fact that it appeared at least one of the apps had been used by a stranger since the television was re-sold.

• Damages for non-trivial breaches under section 13 of the (old) Data Protection Act 1998 are not recoverable unless there is proof of damage or distress [3]. The court said that position would appear to apply equally to claims under Article 82 of the UK GDPR.

• The fact that a claim is of low value does not mean that the court should necessarily refuse to hear it – this claim could be managed in a way that was proportionate to its value through allocation to the small claims track in the County Court. If this was a type of claim (for example, defamation) that could not be transferred in this way, then it seemed there would be good reasons for striking it out on Jameel grounds – it would simply “not be worth the candle” [4].

• An important part of any claim for misuse of private information or breach of confidence is the need for there to be a “use” made of the information in the form of a positive action on the part of the defendant [5]. There was a fundamental defect with the claimant’s claims. In passing the television to a third party the defendant was not making use of the data or information that was the subject of the claim. There was no evidence that it had any actual knowledge of the information in question or made use of it. It would be artificial to characterise the disposal of the television as a misuse of the information itself. At best, it could be said that in failing to wipe the device, the defendant was responsible for breaching a duty of data security, but this was insufficient on the facts to make out claims for either misuse of private information or breach of confidence.

• As noted in Warren v DSG Retail, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action. The only financial loss suffered by the claimant was the cost of the film purchased on his account, but this was refunded by the defendant. The claimant had not brought a claim for personal injury and simply sought to recover damages for distress and anxiety. He had not therefore suffered any recoverable loss and the negligence claim failed.

• It was difficult to understand on what basis the claimant could have sought to recover aggravated and exemplary damages, nor the purpose of an injunction in circumstances where it was known that the defendant did not have the television in its possession. These claims appeared wholly misconceived and without merit.

• It was regrettable that the claimant did not take on board the defendant’s sound advice in its reply to the claimant’s letter before action that High Court judges have made clear recently that these sorts of modest value claim are not suitable for the High Court, or indeed the multi-track, and that there is an obligation on ensuring cases are justly and proportionately managed in accordance with the overriding objective. There did not appear to be any reason for the claim to have been issued in the High Court. This was a very low value claim. Consumer disputes of equivalent complexity are heard every day in the County Court on the small claims track and do not need to be dealt with by a High Court judge.

• By including multiple causes of action in respect of this low value claim, the claimant had increased the complexity of the proceedings unnecessarily. While there will often be good reasons for including more than one cause of action in a claim, especially where there are differences between them in respect of proof of damage, or heads of loss, parties must always conduct litigation proportionately and in accordance with the overriding objective.

• Finally, the judge was unimpressed by what he described as “tactical skirmishing” by both sides. This resulted in the parties having already incurred significant levels of costs – the claimant close to £11,000 (in addition to which there would be his costs of the substantive action) and the defendant around £5,500. This needed to be considered in the context of a claim that might end up being worth just a few hundred pounds, depending on the evidence.

How we can help

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, and the experience of our multidisciplinary Technology & Digital Group, ensures that an informed and robust strategy can be adopted.

As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.

If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact Gwendoline, who will be very happy to help.

[1] [2022] EWHC 160 (QB)

[2] Article 82 of the UK GDPR provides the right to compensation from the data controller or processor for material or non-material damage suffered as a result of an infringement. Non-material damage includes distress.

[3] See our briefing on the Supreme Court’s decision in Lloyd v Google

[4] See our briefing on Johnson v Eastlight Community Homes

[5] See our briefing on Warren v DSG Retail