The High Court has handed down judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) providing much needed clarity on claims against data controllers where data has been exposed as a result of the unlawful actions of third parties.
Background
The Claimant brought a low-value claim against DSG Retail Ltd ("DSG") following an incident in which cybercriminals compromised the personal data of DSG's customers. The Claimant alleged breach of data protection principles, negligence, breach of confidence and misuse of private information. We note that there was no claim for financial loss or personal injury and damages were only sought in respect of distress.
The Defendant successfully applied for summary judgment and/or an order striking out all causes of action save for the claim for breach of statutory data protection principles.
The Court held that:
- a claim in breach of confidence and/or misuse of private information cannot succeed without "use" or "misuse" of the information by the Defendant and made it clear that a failure to secure data (i.e. an omission or a failure to act) is not "use". Since neither breach of confidence nor misuse of private information impose a data security duty, both of these claims were struck out.
- the claim in negligence failed because (i) there was no need to impose a duty of care where there were already statutory duties in place; and (ii) there was no claim for personal injury.
Due to the low value nature of these type of data claims, they typically settle prior to proceedings being issued, resulting in little guidance being provided by the High Court. In light of the decision in Warren v DSG, it now seems clear that the High Court will strike out claims which attempt to shoehorn the facts of an alleged data breach into various other causes of action. Claimants alleging a breach of their data rights arising out of a hacking incident should therefore take note and narrow the issues in dispute before engaging with the other side.
The decision will be welcomed by defendants due to the potential costs implications arising out of the dismissal of both the breach of confidence and misuse of private information claims.
Claimants in low value data claims often purchase ATE insurance as costs protection, sometimes as soon as instructing solicitors. Whilst ATE premiums are typically not recoverable in data protection claims, they can be recoverable for Misuse of Private Information and Breach of Confidence claims. By pleading both of these causes of action alongside their data claims, claimants try to manoeuvre Defendants into factoring in their ATE premiums when assessing costs liability for settlement.
Going forward, claimants will need to carefully consider whether it is cost effective to purchase ATE insurance ahead of bringing a low value claim for breach of data rights - particularly where the breach occurred due to a hacking incident.
