4th November 2022
In a recent case concerning a low value data breach claim, the High Court decided on the level of damages a claimant might receive where their claim is “at the lowest end of the spectrum”. Walker Morris’ data breach experts Gwendoline Davies, Nick McQueen and Jack Heward consider the decision and guidance in Driver v CPS  and explain why data controllers should be interested in the judgment.
This case contributes to the developing court guidance as to the level of damages a claimant can expect in low level data breach claims. The decision follows similarly robust findings from the courts, such as in the cases of Lloyd v Google  and Rolfe .
Businesses and data controllers should welcome the decision, as it continues, and further embeds, the trend towards courts taking a dim view of data breach claimants who seek to overstate the value of their claims .
Due to the mass scale of claims that businesses and data controllers can potentially face from data subjects, there is potential for data breach claim damages to add up from multiple claimants in one singular data breach situation. This case will provide further comfort for businesses and support robust defensive strategies in the face of data breach claims. It should even dissuade some spurious or unmeritorious claims.
The judgment also offers guidance as to what is the appropriate level of damages for a breach concerning limited personal data.
Driver, a well-known figure in local politics, had been a suspect in a local government corruption investigation in 2014 by the name of Operation Sheridan. In March 2016, the police informed Driver he was no longer a suspect. The press was subsequently notified. Driver then became the subject of another investigation under Operation Sheridan. His file was referred to the CPS for it to consider charges.
In May 2019, a member of the public sent an enquiry to the CPS, requesting an update on Operation Sheridan. A CPS lawyer responded in June 2019, advising that “a file has been referred from Operation Sheridan investigation team to the CPS for consideration”. The member of the public passed this information onto other parties, with his own commentary, which named Driver. There was no evidence that the recipients of this information took any action or notice.
Driver brought a claim against the CPS. He alleged that sending their email was a breach of the Data Protection Act 2018 and/or GDPR . He also pleaded other causes of action, including misuse of private information.
Despite the fact that the email did not name Driver, the High Court held that:
“I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision…the fact that the Claimant was a suspect in Operation Sheridan was already in the public domain at the time of the sending of the email…and had been so since March 2016. Personal data can relate to more than one person and does not have to relate exclusively to one data subject, particularly when the group referred to is small.” 
The court held that the claim fell within the DPA 2018 regime, not the GDPR, as Driver’s position was that the processing was done for law enforcement purposes. Driver’s claim for misuse of private information failed because the facts were already in the public domain. This is consistent with the court’s views on data breach claims advanced on the basis of misuse of private information, as detailed in Darren Lee Warren v DSF Retail Ltd .
The High Court accepted that the claimant would have experienced a very modest degree of distress. Notably, however, it considered the breach to be at the “lowest end of the spectrum”, and awarded damages of just £250. (Driver had claimed £2,000.)
The decision in Driver is helpful in assessing potential damages in low value data breach claims and is instructive as to the courts’ likely approach. However, it remains vital for businesses to adopt a data breach strategy  and to be aware of risks and their legal obligations. Every data breach claim should be assessed on its own merits.
Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims and our specialist Regulatory & Compliance team has comprehensive, legal and practical understanding of the regulatory background. This cross-discipline expertise enables Walker Morris’ data breach specialists to offer both proactive risk management advice, and to respond effectively and robustly in the face of any threatened data breach claim.
  EWHC 2500 (KB)
  UKSC 50 – See our briefing here
 Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) – See our briefing here
 Another recent example is the decision in Cleary v Marston (Holdings) Ltd  EWHC 3809 (QB) which saw a low value data breach case transferred from the High Court to the Small Claims Track in the County Court. See our briefing here
 General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)
 para 101
  EWHC 2168 (QB) – See our briefing here
 See Walker Morris’ publication on how organisations can protect themselves against data breach litigation here