• Contact Us

Responding to Data Protection Claims - The Turning of the Tide?

on Thursday, 12 May 2022.

Has the tide now turned for data protection litigation? We consider the changing position and the reasons for it - which will hopefully provide all businesses with some comfort and pause for thought when responding to claims.

When the GDPR came into force four years ago, the rights of individuals to control their data were strengthened and the obligations imposed on data controllers were increased. Since then, we have seen an unprecedented number of data protection claims in the High Court's Media and Communications List. In 2021, the judiciary delivered several decisions that changed the landscape in this area of litigation. Presumably as a consequence, in 2022 we have seen the number of these types of claim being issued start to decline.

Common Features of Data Protection Litigation

  • Templated, long, and overly complicated pre-action protocol letters quoting various causes of action, such as breach of the UK GDPR, breach of the Data Protection Act 2018, breach of the Human Rights Act 1998, breach of confidence (BC) and misuse of private information (MPI). This 'kitchen sink' approach has been criticised for unnecessarily complicating matters. The inclusion of BC and MPI claims is often tactical, to enable claimants to recover after the event (ATE) insurance premiums (purchased to protect against the claimant being ordered to pay the defendant's costs) because these are recoverable in publication and privacy proceedings, but not in pure data protection claims.
  • Claimant law firms advertising their services offering to act on a no win no fee basis in respect of data claims. This, combined with the ability to obtain ATE insurance and potentially recover the premiums, creates a market for claimant lawyers to promote litigation on the basis of limited risk to the claimant.
  • The level of costs sought by claimant law firms is usually the main hurdle for resolving claims, often exceeding the amount of damages sought even at a very early stage. Despite this, the level of ATE insurance cover obtained is often nowhere near sufficient to cover the actual costs likely to be incurred by a defendant: although clearly this is a double edged sword as the greater the cover, the greater the premium.
  • Proceedings are often issued in the High Court's Media and Communications List, despite low levels of damages. Claimant lawyers may argue these cases must be dealt with in the High Court, but that is simply not correct. The tactical aim is to avoid claims being dealt with in County Court where far less costs are generally recovered (and if claims are allocated to the small claims track, costs (saved for very limited fixed costs) are not recoverable at all). This is significant in light of the no win no fee arrangements commonly in place between claimant lawyers and their clients in these claims. However, the Courts are becoming more alert to this and in Ameyaw v PWC and others [2020] EWHC 3035 (QB) (a claim regarding, amongst many other things, a breach of the Data Protection Act 2018 for failure to comply with a subject access request), Mr Justice Warby said he did not consider the High Court to be "even arguably the right forum for this claim which can only have the most modest value. The proportionate means of disposing of this claim is to transfer it to the County Court, for resolution (I would think) in the small claims track."
  • The irrecoverable element of legal costs associated with litigation (even if a claim is successfully defended) meaning that from a pure 'balance sheet' perspective, it is often more cost effective for defendants to seek an early settlement than to fight these claims. Claimant lawyers are well aware of this.

The industry that has been formed around this is only likely to stop once the risks become too much for claimant lawyers (in terms of not recovering their costs) and for the ATE insurers (in having to pay out). Thankfully, a number of recent claims may well have started having that effect.   

Change in the High Court's Approach

The High Court has recently started to take a more restrictive approach to data protection claims. Whilst the importance of protecting people's data cannot be undermined, there is recognition that in modern day life where storing and communicating data electronically are the norm, mistakes can and will happen and when minor breaches with no real consequence occur, it should not be easy for opportunistic claimants and lawyers to exploit and profit from them.

Some Key Decisions Prior to 2021

  • Vidal Hall v Google Inc [2015] EWCA Civ 31 - confirmation that damages are available under the Data Protection Act 1998 for distress alone.
  • Gulati and others v MGN Limited [2015] EWHC 1482 (Ch) - MPI claim in which victims of the Mirror Group's phone hacking scandal were awarded compensation including for the loss of their right to control the use of their private information.
  • TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB) - damages awarded to claimants (who were applicants for asylum or leave to remain) for mental distress suffered as a consequence of the Home Office inadvertently publishing their personal data online. This case is often quoted by claimant lawyers, overlooking the extreme circumstances which warranted awards (of between £2,500 and £12,500) as some individuals had been left fearing for their lives and safety following the data breach.
  • Lloyd v Google LLC [2019] EWCA Civ 1599 - a representative class action by Mr Lloyd on behalf of millions of iPhone users in connection with an alleged data breach regarding the Safari 'workaround' software installed by Google on some iPhones which enabled cookies to track users across websites to improve targeted advertising. The Court of Appeal held that individuals could, in principle, recover damages for mere loss of control of their data under the Data Protection Act 1998, even if no tangible financial loss or distress had been suffered.

Some Key Case Decisions Since 2021

  • Lloyd v Google LLC [2021] UKSC 50 - the Supreme Court reversed the Court of Appeal's decision, holding that while 'loss of control' damages were potentially available in relation to a claim for MPI, that was not the case for claims under s.13 of the Data Protection Act 1998 and in order to obtain compensation for such claims, each claimant would need to demonstrate wrongful use of their personal data and material financial loss or distress resulting from it. It is important to note this decision only considered the position under the 1998 Act, but there is a strong argument that the Court's reasoning would apply equally to the current legislation. If so, 'loss of control' damages will not be available simply for breaches of data protection law in situations where there has been no real loss or distress suffered. The Supreme Court also held that without 'loss of control' damages, a representative class action was not possible because not all individuals will have suffered the same loss or distress as a result of any given data breach and so individual assessment will be required. Pursuing claims via Group Litigation Orders or individual litigation remain an option where there are multiple affected individuals, but these are less attractive. The position in this regard is likely to be considered further by the Court in an ongoing claim involving TikTok.
  • Warren v DSG Retail [2021] EWHC 2168 (QB) - following a cyber-attack on DSG's systems in which the perpetrators gained card and other personal details (for which the ICO had issued a monetary penalty notice), Mr Warren issued proceedings against DSG. His claims for BC, MPI and negligence were all struck out (though the claim relating to a failure to have adequate security in place as required under the Data Protection Act 1998 was not). The High Court held that for both BC and MPI, there was a requirement for some form of 'positive conduct' by the defendant and neither the duty of confidence nor the right to privacy imposed a data security duty on data controllers. The 'positive act' was absent in this case, as DSG had been the victim of an attack and that, of itself, had not caused harm to Mr Warren. The High Court also confirmed that there was no tortious duty of care owed by DSG to Mr Warren in circumstances where a specific statutory regime (such as the regime under the Data Protection Act 1998) exists.
  • Rolfe v Veale Wasbrough Vizards LLP - [2021] EWHC 2809 (QB) - this was a claim against our firm in which we secured the first reported decision confirming that damages are not available where no credible harm can be shown. In the Lloyd v Google case, the Court of Appeal referred to the need for a minimum threshold of seriousness to be met before damages should be awarded. Here, a single typographical error in an email address resulted in a letter relating to a debt claim containing a nominal amount of personal information being sent to an incorrect recipient. The incorrect recipient promptly responded indicating they had received the email in error and then at VWV's request confirmed the email had been deleted the next day. A claim was subsequently issued against VWV by the parties to whom the letter was addressed and their child. VWV was successful in its application for summary judgment, with Master McCloud concluding: "In the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial." Master McCloud was critical of the claimants calling their claim "plainly exaggerated" with a "frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. She said "In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century…."
  • Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) - in a claim concerning a social housing customer who was accidentally sent rent statements including details of numerous other customers, the claimant's approach to litigation (including the decision to issue proceedings in the High Court) was heavily criticised and the claim was transferred to the County Court. Master Thornett said "No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse."
  • Stadler v Currys Group Ltd [2022] EWHC 160 (QB) - this case concerned consumer data stored in a TV that was sent for repair and later sold without the claimant's data being removed, resulting in an unauthorised film purchase being made through the claimant's Amazon account. Once again, the High Court made clear that it is not the appropriate forum for low value data protection claims. The claim was transferred to the County Court and recommended for allocation to the small claims track.
  • Ashley v Amplifon Ltd [2021] EWHC 2921 (QB) - in a case where an employer accidentally disclosed an employment contract to the wrong employee with the same first name, the High Court again transferred to the County Court "probably [to] the small claims track".
  • Ali v Luton Borough Council [2022] EWHC 132 (QB) - a social worker employed by the Council accessed a social care database to obtain sensitive information about the claimant which she then disclosed to the claimant's estranged husband (with whom she was in a relationship). The High Court applied the decision in Various Claimants v Morrisons Supermarkets[2020] AC 989 and held that the Council was not vicariously liable in the circumstances - by accessing the information in question the social worker had gone off on a frolic of her own. Despite having access to the data through her employment, the act of accessing the records was not done for reasons connected to her role and she knew it was wrong to do so.

What Are the Key Takeaways?

Data breach claims in respect of minor incidents with minimal data involved have sadly become very common place. Until recently, there had been little case law grasping the nettle in such actions. In modern day professional life, it is inevitable that from time to time something will be disclosed in error to an incorrect recipient and it is increasingly common for organisations to face claims against them, often with claimants seeing a one-off minor mistake as an opportunity to seek financial compensation in a situation where they have suffered only minimal (if any) loss or distress.

The above decisions will be causing claimant lawyers and insurers to take stock of their approach and will also offer data controllers some comfort. Where claims are for a genuinely serious breach, data protection legislation rightly gives individuals the ability to seek redress and most organisations will want to resolve the matter in a fair manner. However, the landscape seems to have shifted from one where it was previously worth 'having a go' at bringing a claim to one where trivial, exaggerated and opportunistic claims run the risk of not being entertained, nor will excessive costs being incurred in respect of them.

The growing frustration with low value data protection claims being issued in the High Court with little or no attempt being made to demonstrate financial loss or distress is now very apparent. Whilst not all are being struck out, there is a strong message that such claims will usually belong in the County Court (and most likely in the small claims track) with the High Court venue being the exception, rather than the norm. Claimants will need to show actual financial loss or distress at the outset of their claim.

So, the tide does appear to have turned in 2021 and the early part of 2022 for data protection litigation, and we anticipate seeing that trend continue. Minor data breach claims are looking less and less attractive to pursue and we expect to see the number of these claims being issued continue to decline.

VWV has a wealth of experience and expertise in Information Law and regularly work for organisations on defending data and privacy claims such as this for clients.

If you would like to discuss a particular data protection claim, please contact Ben Holt on 07715 048666 or Rhiannon Lewis on 07384 813072 in our Litigation and Dispute Resolution team. Alternatively, please complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input