By Hans Allnutt & Adele Newton

|

Published 29 November 2021

Overview

The last month  has seen significant  decisions in the world of data breaches which will be welcomed by the legal profession and their insurers.

The first decision of Lloyd v Google LLC [2021] UKSC 50 must be one of the most publicised cases of recent times.

On 10 November 2021, the Supreme Court held that in order for a claim for compensation to succeed under Section 13 Of the Data Protection Act 1998 (the ‘Act’), a Claimant must demonstrate more than a mere breach of the Act, but also that damage has been suffered. There is no automatic right to compensation. The damage suffered must be material damage.

In order to assess compensation under section 13, it would be necessary to consider matters such as what period of time Google tracked individuals, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence of any of these matters, it was held that an individual is not entitled to compensation.

The decision is favourable to defendants in a number of respects, but perhaps most notably because how the Court has sought to restrict the ability of claimants to seek damages for “loss of control” of their personal data, without having to prove any material damage or distress. The metaphorical floodgates of data protection class actions have been held shut by the Supreme Court. However, the decision is, to some extent, contrary to the direction of travel in other jurisdictions although it will come as a welcome relief to organisations of all sizes, and their insurers. Given the frequency and breadth of cyber incidents which organisations suffer, and privacy laws they can fall foul of, from malicious cyber-attacks to the unintentional misuse of cookies, it is difficult not to overemphasize the significance of this judgment.

Hot off the coattails of the above case, we acted for the successful Defendant in Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) in which a claim was struck out by the High Court’s Media and Communications Section.

In this case, the Defendant mistakenly sent a compilation of rent statements relating to a number of its customers to a third party by e-mail which included the Claimant’s personal information. The Defendant faced a claim for damages for a number of breaches including the misuse of private information, breach of confidence and breaches under the ECHR and GDPR.

Master Thornett struck out all claims save for the GDPR claim and directed that the remaining claim be dealt with in the appropriate forum, the County Court, on the basis that it had “all the hallmarks of a Small Claims Track claim that should have been issued in the County Court and so allocated”. Master Thornett made it clear that the “lure of adopting a more elaborate and more expensive approach just because the subject matter can so permit is simply unacceptable”.

As a consequence, the High Court has given a clear decision that breach of confidence, misuse of private information and other causes of actions that are advanced in low-value data breach claims are simply collateral to a GDPR claim, are likely to obstruct the just disposal of proceedings, and take up a disproportionate and unreasonable amount of Court time and costs. The High Court’s direction is that claims such as these ought to be allocated to the Small Claims Track in the County Court. The fixed costs regime of the Small Claims Track ought to, therefore, apply to any similar data breach claim.

This decision, therefore, drastically reduces the cost exposure faced by defendants in low-value data breach claims. At the same time, it still preserves access to justice and the right for claimants to pursue a remedy from the Court, albeit within the confines of the Small Claims Track. All organisations, not only solicitor firms facing similar low value claims will welcome this finding.

Authors