Data breach litigation – more difficulty for Claimants following Lloyd v Google

View our previous update here.

What happened?

The Defendant in this case was a social housing provider. The Claimant, Ms Johnson, was one of its tenants. On 1 September 2020, the Defendant sent an email attachment to a third party which inadvertently included the Claimant’s name, email address, and details of recent rent payments she had made. Notably, the Claimant’s details appeared at pages 880-882 of a document which was almost 6,941 pages long. The obvious inference was that the third party would not even have read the Claimant’s personal information.

Moreover, the third party, as the sole recipient of the email, immediately notified the Defendant of its error by telephone and was asked by the Defendant to delete the email. Within 3 hours of the email being sent, it was deleted by the third party.

Nevertheless, the Claimant proceeded to instruct solicitors who sent a letter before action and later issued proceedings in the High Court, seeking damages limited to £3,000. The Claim Form indicated that she was seeking relief for “Misuse of Private Information, Breach of Confidence and Negligence, together with damages for breach of Article 8 ECHR rights as incorporated in the HRA 1998 as well as damages pursuant to Article 82 GDPR and damages pursuant to section 169 of the Data Protection Act 2018.”

The Claimant indicated that she had suffered distress because she had previously moved address to escape an abusive relationship, and which meant that she was extremely concerned about the prospect of her address becoming public knowledge as a result of the inadvertent data breach.

What steps did the Defendant take?

The Defendant had quite sensibly admitted that sending the attachment was a mistake, made by human error. It had emailed the Claimant to (i) inform her of the error and the fact that the recipient had deleted the information (ii) apologise and (iii) state that the matter had been reported to the Information Commissioner’s Office (albeit it did not accept that strictly it had been necessary to make such a report). The ICO later confirmed that no action was required or would be taken as a result of the inadvertent data breach.

The Defendant therefore took the view that the claim was effectively an abuse of process because of its very limited value. It applied to strike it out and/or for summary judgment, in an attempt to deal with the claim quickly and without the need for a full trial.

The Defendant denied that the Claimant was entitled to any damages and described the inadvertent disclosure as a purely technical breach of the Article 5 of the GDPR, which requires data controllers to process data in a manner that ensures appropriate security of the personal data (the ‘integrity and confidentiality’ requirement).

It is well established that there is a threshold of seriousness, below which any claim for damages for a breach of an individual’s personal data rights cannot succeed. That threshold has been held to “undoubtedly” exclude, for example, a claim for damages for an accidental one-off data breach that is quickly remedied. However, in this case the Claimant and her lawyers)maintained that the £3,000 claimed by her was realistic.

What was decided?

The High Court ruled that, “despite an initial impression of sophistry”, the Claimant’s claim was a very straightforward one. The judge was critical of how the claim had been described by the lawyers acting for the Claimant and struck out all elements of the claim as noted above, except for the claim for the breach of the GDPR.

In relation to that part of the claim, the Master decided that there was no basis for the claim to have been issued in the High Court, which he noted was reserved for matters where the claim value is more than £100,000 or where the claim involved a developing area of law (as opposed to the County Court, where lower value and more straightforward claims are pursued).

The Claimant had tried to argue that her claim was nevertheless appropriately issued in the High Court. The benefit to the Claimant of this approach was that she would, on the face of it, have been entitled to recover her legal costs from the Defendant if her claim had proceeded in the High Court and had been successful. The Claimant’s lawyers had indicated that she expected to spend £50,000 in legal costs to pursue the claim to a trial. The Master considered this approach to be “abusive”, noting that:

“No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse.”

The Court did not strike out the claim entirely, but transferred the claim to the County Court to be dealt with on the small claims track (where, in almost all cases, even a successful Claimant will not be entitled to recover anything other than very modest legal costs from a Defendant). The claim will therefore be decided at a small claims hearing, where a District Judge will form a view as to whether the Claimant is entitled to either “purely nominal or instead extremely low damages”.

One of the factors that will be considered, the Master noted, is the fact that the Claimant’s address was also available online on the BT Phone Book website and 192.com. She had not, for example, been so concerned about her personal data as to elect for her details to be ex-directory. On any view therefore, the Master noted that the claim was always bound to be worth very little.

What does this case show?

The judgment is a further blow to claimant lawyers pursuing claims arising out of data breaches. The law in this area is now well settled. It remains the case that claimants are entitled to pursue modest claims for damages where they can show financial harm or distress has been suffered, but those claims will need to be issued in the County Court. Where the value of such claims is below the small claims threshold of £10,000, as will be the case in most circumstances, Claimants will have to pursue those claims without instructing lawyers (or otherwise bear the costs of pursuing those claims personally).

As such, this decision is once again helpful to data controllers facing such claims. Whilst the priority for controllers should always be to avoid personal data breaches in the first place, where claims do arise controllers should be increasingly well placed to resolve them at an early stage by making sensible offers to pay appropriate compensation (where that is merited), without the further worry of having to pay a complainant’s legal costs in addition.

If you find yourself in a situation where you need advice on contentious data protection matters, including as to when offers of compensation should be made and how they should be pitched, our team of commercial dispute lawyers will be delighted to help. Contact one of our specialists to find out more.