Companies are increasingly faced with compensation claims made under the UK GDPR for low- level accidental data breaches. This article addresses compensation in such cases, when compensation is not due if the breach is trivial, and how to limit costs by transferring claims from the High Court.
Compensation and the de minimis threshold
The UK GDPR (and its statutory predecessors) allows for a claim to be made for compensation for damage caused by its contravention, including accidental breaches. In this context, ‘damage’ has a broad meaning which goes beyond material loss, and covers non-material harm, including distress and loss of control over personal data.
TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) remains good guidance as to damages awards in accidental disclosure claims. In that case, damages totalling
£39,500 were awarded to six asylum seekers whose confidential information (in the form of a spreadsheet about ‘the family returns process’) was accidentally published online and then republished on a document sharing site. This caused shock and distress among the claimants. No distinction was made between privacy and data protection damages and they were assessed in the round, with a view to compensating for the distress the individual could justifiably have felt due to the disclosure and for loss of control.
Mr Justice Mitting found the publication was a misuse of private information and a breach of the Data Protection Act, awarding £12,500 (x2), £6,000, £3,000 (x2) and £2,500. Mitting J heard no evidence on psychiatric injury, but looked to awards in such cases by way of comparison.
Lower awards will be appropriate where the breach is less serious.
Particularly in low-level data breaches the question of whether compensation is payable at all may arise. Distress must be reasonable in the circumstances, and claimants must also show that the de minimis threshold has been reached. As was noted by the Court of Appeal in Lloyd v Google [2019] EWCA Civ 1599, that threshold would exclude a claim for damages over an accidental data breach that was a one-off and quickly remedied.
Claims brought in the High Court
Data breach claims are commonly (though often not appropriately) issued in the High Court. This can lead to a situation where a claim, capped at a few thousand pounds, is dwarfed by legal costs. Indeed, one claimant firm has issued over 150 separate claim forms in the Media and Communications List of the High Court for such low-level breaches this year alone (frequently with damages capped at £5,000 or under). Often such claims also include additional causes of action, such as misuse of private information and breach of confidence (which allow for recovery of an ATE premium if successful).
Transfer and track
Data breach claims may be issued in the County Court or High Court, but should only be issued in the High Court if their financial value, complexity or public importance warrants it. The fact that the claim is for a data breach and so would fall under the Media and Communications List if issued in the High Court is not by itself sufficient reason to bring a claim there. The court may, of its own volition, transfer claims to the County Court under Practice Direction 7A. However, Defendants should also consider applying to transfer such claims to the County Court if this does not occur. As set out above, a real risk of a low-level data breach claim proceeding in the High Court is that while any eventual damages may be low, costs sought by a claimant will be far higher.
The High Court has the power to transfer claims to the County Court under s.40(2) of the County Courts Act 1984. Masters of the Queen’s Bench Division are increasingly transferring data breach claims to the County Court (and awarding costs to the applicant) for low level compensation claims. The factors to consider for transfer are set out under CPR 30.3(2).
The key factors in a data breach case will most often be (a) the financial value; and (b) the complexity of a case. Media and Communications claims are typically (relatively) low value and the usual £100,000 value requirement for High Court claims is disapplied in respect of them.
The complexity of proceedings may mean that the High Court is an appropriate venue, but will be fact sensitive. However, the court will keep in mind the question of proportionality to any damages and if there is any other non-monetary relief sought. Certainly, in circumstances where there is: (a) no substantial dispute as to fact; (b) liability is admitted; and (c) damages are capped at a low level and the only real question is quantum, the High Court will likely transfer the claim to the County Court.
Claims transferred to the County Court may also be appropriate for allocation to the small claims track. This has the benefit for defendants, certainly for claims where liability is admitted, of being a cost-free jurisdiction. Mr Justice Warby (as he was then) in Ameyaw v McGoldrick [2020] EWHC 3035 (QB) noted that for a claim over non-compliance with a subject access request the High Court was not “even arguably the right forum” for such an action. The proportionate means of disposing of it was to transfer the matter to the small claims track of the County Court. The actual allocation of a claim is ordinarily left to the County Court.
Cyber-attacks and ATE premiums
One species of inadvertent data breach considered recently is that of a cyber-attack. Mr Justice Saini found in Warren v DSG Retail Limited [2021] EWHC 2168 (QB) that misuse of private information and breach of confidence will never be appropriate causes of action in the event of
such a breach. The only question is whether the security of the data was sufficient. In a data breach claim arising from a cyber-attack, therefore, an ATE premium would not be recoverable by a claimant.
Conclusion
All companies that have suffered an inadvertent data breach should be alive to the potential risks that arise from claimants inappropriately issuing in the High Court. The law in this area is also fast developing. The Supreme Court is due to hand down its judgment in Lloyd v
Google which will reconsider loss of control damages. Further, following the recent increase in claims, it can be anticipated that there will be first instance judgments providing guidance on the de minimis threshold in the near future.
