A move away from trivial data breach claims?

A summary judgment decision in the High Court held that damages did not meet the de minimis threshold in a case where a single data breach was quickly remedied. As a warning to Claimants, the claim was criticised for being “plainly exaggerated” and inappropriate.

Summary

Master McCloud ruled in Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) that in a data breach claim, the Claimant must establish that they have suffered material or non-material loss resulting from the data breach, which is above a de minimis threshold before awarding compensation. A welcome judgment as it clarified that in trivial claims of distress or damages, the law would not supply a remedy where no harm has been shown or is likely to be displayed.

Background

The Defendant, a firm of solicitors, represented a school that the Claimants owed money to. The school instructed the Defendant to send a demand for payment. On 17 July 2019, the Defendant, in error, sent an email attaching a statement of account to the wrong person. The recipient of the email swiftly responded, informing the Defendant that the email was wrongly delivered and, subsequently, confirmed the deletion of the email.

Claim

As has become somewhat common in some seemingly minor data breach claims, the Claimant claimed damages for:

• Misuse of confidential information;
• Breach of confidence;
• Negligence;
• Damages under s82 of the GDPR and s169 of the Data Protection Act 2018;

Plus a declaration and an injunction, interest and further or other relief.  

Since the GDPR came into force in 2018, we have seen an increase in compensation claims. Often the nature of the breach is trivial and the compensation claimed appears high. The legal costs in such claims can exceed any damages recovered upon success.

Summary Judgment Application

The Defendant applied for a summary judgment under CPR Part 24, requesting a dismissal of the claim as the damage suffered by the Claimants did not satisfy the de minimis threshold.

The basis of the Defendant’s summary judgment application was:

1. The nature of the breach and the information – the email in question contained minimal significant information and no information concerning bank details or medical matters.
2. The circumstances of the disclosure – the Defendant accidentally disclosed an encrypted email to only one individual. The individual notified the Defendant of the error the same day and confirmed that they deleted the email.
3. No tangible harm or loss is pleaded or plausible – in a witness statement by the solicitor for the Claimants, inferences were made that phishing phone messages were targeted at the Claimants as a result of the incident. This had not been pleaded and was not plausible. Similarly, a claim for time spent dealing with the incident, as set out in the same witness statement, was also not pleaded, not plausible and exaggerated.
4. No real loss of control of personal data – this means something more than one third party briefly having access to low-level personal information and confirming deletion. The Defendants relied on the Court of Appeal judgment in Lloyd v Google LLC.

The Claimants position was that it could not be ascertained the extent to which information had reached third parties and that the information in question was not banal. They emphasised that this was a factual dispute and there was a reasonable prospect of success in showing that loss crossed the de minimis threshold and therefore should be an issue for trial, not for summary judgment.

Judgment

Master McCloud noted that it was common ground between the parties that, in principle, damages were recoverable for breaches of data protection and misuse of private information, including the distress caused devoid of pecuniary loss (see Vidal-Hall v Google [2016] QB 1003). Similarly, in Lloyd v Google, it was emphasised that “it was not in dispute that in principle loss of control of personal data can constitute damage”. Sir Geoffrey Vos made it clear that the threshold of seriousness would exclude a claim for damage for an accidental one-off data breach that was quickly remedied.

The test for summary judgment is that the claim has no real prospect of success. Master McCloud stated that in this case, the question was a simple one: “given the nature of the breach and the nature of the information and the steps taken to mitigate the breach, and the material before me, is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level”. He found no credible case that distress over a de minimis threshold will be proved and observed that no person of ordinary fortitude would reasonably suffer the distress claimed.

Comment

TLT and Others V The Home Office [2016] 2217 (QB) examined both the legal principles that the Court will use to assess damages in privacy cases and demonstrated how the Court will analyse the strengths and weaknesses of evidence supporting damages for distress. It also established that the threshold for damages for a data breach claim is based on the de minimis principle.

Rolfe guides how the de minimis principle will apply in practice and clarifies that the Courts will not award damages to trivial data breach claims. This approach is reassuring to businesses, confirming that the Court will not simply award damages where no real distress has been caused, and the business has taken steps to remedy the error promptly. The Supreme Court has now issued its judgment in Lloyd v Google, and noted on a number of occasions that damages must be more than trivial in order for a claim to be successful.

We wait to see if these judgments result in a significant fall in the number of data breach claims.