At our annual Data Protection and Cyber conference on 10 November 2022, we provided an update on where we are now, and what the future holds for the field of low-value privacy claims.
The recent Judgments mark a slight reduction in the rights of individuals to bring compensation claims for data security breaches and privacy violations. Whilst on its face this may seem unfavourable to individuals wishing to bring claims, it is notable that these cases relate to those claims with the lowest merits, but highest costs. Because these cases still preserve the right for an individual to bring a claim, but heavily impact recoverable legal costs, they represent a greater loss to the claims industry than individual freedoms.
The last 20 years has marked an exponential growth in compensation claims following data breaches and privacy violations. The term “exponential” is a fair description because the first fifteen years saw such a slow growth, but once certain legal principles were established and legislation introduced, the number of claims began to soar.
Two critical moments in the last twenty years were the recognition by the Courts that individuals could bring claims as long as they could show they had at least lost control of some personal data or that their damages were above a de minimis threshold. Furthermore, because these principles were developed in claims against the media, they also benefitted from the carve-out from litigation funding and cost protection reforms that permitted claimants to bring claims with defendants bearing most of the cost risk. The main protection came in the form of the purchase of after-the-event (ATE) insurance premium, with the premium being recoverable from the Defendant.
A further critical moment was the introduction of GDPR which provided for the right to bring claims for material and non-material damage with no specific provision that a financial loss needed to be shown (as was required under the old legislation1) or a de minimis threshold to be exceeded.
By 2020, any claim for a breach of privacy or GDPR could potentially be presented as a claim for compensation with no risk of adverse costs rules given the protection of ATE insurance. When combined with the newly developed pre-action protocol for Media and Communications claims (the Media and Communications List), this led to a wave of volume data breach and privacy claims being brought in the High Court, without regard for their merits, complexity or value.
A run of cases in 2020 and 2021 sought to at least address the complexity argument by stripping out the common law causes of action and leaving only the GDPR claims. The first case to move the dial was Warren v DSG Retail (Dixons) [2021]2 where the Court found that the hacker had misused the Claimant’s private information rather than the Defendant. The removal of this cause of action (and also the breach of confidence claim) also removed the exemption from ATE insurance reforms and the possibility of recovering ATE insurance premiums in low-value data breach claims for hacking claims. Subsequent cases extended this to non cyber-attack cases.
Nonetheless, individuals could still bring claims in the High Court, adding complexity and cost, for sums that were not insubstantial (because of the available quantum caselaw, such as TLT v Home Office [2016]3, had provided for awards of between £2,500 and £12,500).
The next stage for judicial clarification was set and 2021 was the year that the playing field was finally levelled by the Courts in England and Wales.
Johnson v Eastlight Community Homes Limited [2021]4 in which our team acted, provided a decision that was clear in that low-value data breach claims ought never to have been issued in the High Court and should instead be issued in the County Court and the appropriate allocation is the Small Claims Track.
The case of Cleary v Marston (Holdings) Limited [2021]5 formalised the position with the more assertive Judgment that these claims should be allocated to the Small Claims Track in the County Court. The Small Claims Track would remove any recovery of costs and limit Claimant costs to a significant degree.
On quantum, Driver v CPS [2022]6, provided the much welcomed clarity for damages awards at the “lowest end of the spectrum” for “modest distress” are £250. This is a significant reduction on previous cases where the low threshold for distress was at least four figures.
In parallel, the EU has also been grappling with similar issues. 2022 saw the first Advocate General’s Opinion7 as to whether GDPR claims have a de minimis threshold. This case related to the use of the Claimant’s data without his consent, resulting in a claim for violation of the law. The Court opined that there needs to be a claim for a breach of the law that is accompanied by actual damage and that basic levels of distress were not sufficient to bring a claim. The Opinion, which mirrors that of recent decisions in the UK, notes that “mere upset”, “feelings of displeasure”, “inconvenience” or “annoyance” are not sufficient to claim damages. Claimants must accept that certain inconveniences resulting from infringements of the GDPR are “an inevitable corollary or life and society”.
So where does this bring us?
Low-level data breach claims should never be brought in the High Court and arguably should only be allocated to the Small Claims Track. As a starting point, this significantly removes the financial protections around a Claimant bringing a claim of limited merit. The potential to recover ATE insurance premium and therefore protect against losing an unmeritorious claim, has been removed. This has arguably resulted in a 95%8 drop in issued claims in the High Court.
In order to bring claims in the High Court, claimant law firms could seek to aggregate claims to a sufficient value in order to qualify their action for that Court. Therefore, unless claimant law firms are able to acquire sufficient claims from a breach, arguably those claims will not be pursued. Breaches that affect only one individual may find it harder to find representation.
With more cases directed to the County Court, we will unfortunately not receive as many published decisions as we have in the past. There remains a key battle ground as to whether certain claims should be allocated to the Small Claims Track or remain in the Fast or Multi-track. Arguments around whether expert evidence makes a claim more complex or indeed specific types of damage are being advanced, but the merits are still to be determined.
We, therefore, think that there will be a greater due diligence process applied to new claims being brought by a claimant law firm. Strategies are evolving, for example, whether claims should be presented as personal injury claims rather than data breach claims and therefore, placed within the personal injury portal.
So whilst we anticipate a drop in low-value data breach claims volume, certainly litigated claims, we do not see data breach claims going away.
1Although see Vidal-Hall v Google Inc (CA) Reference: [2015] EWCA Civ 311 which had already ruled this provision unlawful.
2Warren v DSG Retail Ltd [2021] EWHC 2168
3[2016] EWHC 2217 (QB)
4[2021] EWHC 3069 (QB)
5[2021] EWHC 3809 (QB)
6[2022] EWHC 2500 (KB)
7UI v Österreichische Post (Case C-300/21)
82021 against 2022 filings in the High Court Media and Communications List
