Trivial data breaches – The High Court’s firm stance on meeting the threshold

Those of you familiar with litigation will be aware of the overriding objective, a principle so important to the Court and litigators alike that it is enshrined as the first rule in the Civil Procedure Rules (CPR)  (the rules which govern court procedure).  For those who are not so familiar, it states at Part 1.1:

‘These Rules are a new procedural code with the overriding objective of enabling the court to deal with cases justly and at proportionate cost.’

The Rules go on to elaborate on this in the remainder of Part 1.1 and deal with what is meant by proportionate cost and the approach that the court must take to them at CPR Part 44.3(5).  Here it is stated that:

  1.    the sum in issue;
  2.    the value of any non-monetary relief;
  3.    the complexity of the litigation;
  4.    any additional work generated by the paying party’s conduct; and
  5.    any wider factors involving the proceedings such as reputation or public importance;

are all to be taken into account in assessing proportionality.

In a similar vein, the court can apply what is often called the de minimis rule where the loss claimed is so small in scale or has such a negligible impact, that it dismisses the claim as trivial.

We have recently commented on the outcome of the high profile case of Lloyd v Google, however, there are various other cases that, although less high profile, are worth considering.

In Johnson v Eastlight [2021] EWHC 3069, a social housing provider mistakenly sent a bundle of rent statements which related to the Claimant, Mr Johnson, and other customers, including their names, email addresses and rent payment information to the wrong recipient.  The Claimant’s information was on pages 880 to 882 in a document amounting to almost 7,000 pages.   The Defendant, after being informed by the recipient of its mistake, asked the recipient to delete this information, which it did shortly afterwards (and within three hours of the email being sent).

The Defendant, reported the breach to the ICO (who subsequently confirmed no action was required) and also informed the Claimant, apologising and telling them it had been reported to the ICO. 

The Claimant issued a claim for misuse of private information, breach of confidence and also negligence, based on the Claimant’s distress and concern that the information would have somehow become available to her former partner. This was criticised by the High Court as the Claimant had issued a publicly identifiable claim without taking steps to hide any of her personal information.  For example, her contact details were included within the Claim form, and she was not ‘ex-directory’.  This therefore contradicted her alleged concerns.  The Claimant was seeking £3,000 in damages, and costs of £50,000. In the High Court’s view, costs of £50,000 for a claim with a value of £3,000, diminished the genuineness of the Claimant’s distress and instead drew light on procedural abuse.

The High Court were clear: claims with a value of less than £100,000 should not be issued in the High Court, the Small Claims court is the appropriate forum.  Despite the Defendant’s application for the claim to be struck out, the High Court were mindful that the Courts should provide a remedy to any litigant where it can,  and it therefore opted to transfer it to County Court stating that “this very modest claim can and should proceed, but be concluded elsewhere.” 

In Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the Defendants (acting on behalf of the Moon Hall School Educational Trust) sent a single email to the Claimant on 17 July 2019 with a demand for overdue payment. Due to a single character error in the Claimant’s email address, the email and statement of account was sent to a recipient with an identical surname and the same first initial of their forename. The recipient (unknown to the Claimants) responded the same day confirming the email was not for them, to which the Defendants requested the following day the deletion of the email, which the recipient confirmed within 2.5 hours. The Claimant issued a claim for damages for misuse of confidential information, breach of confidence, negligence, and damages under s82 of the General Data Protection Regulation ((EU) 2016/679) and s169 Data Protection Act 2018, plus a declaration and an injunction, interest and further or other relief.

The High Court confirmed that the Claimant cannot have suffered damage or distress above a de minimis level, and analysed the nature of the personal information in question, together with the manner in which it was disclosed to the wrong recipient.

They determined that the information was not of an intimate nature, having only contained financial details in the form of a single invoice for the school fees, containing information which was publicly available on the schools’ website. They also noted that the statement itself did not disclose any information whatsoever, other than that one payment was due and owing, which was more a matter of fact and did not disclose anything that identified why the account was in its current position. Furthermore, with the speed in which the information was deleted by the recipient, the High Court found that there was no reason to think that they did not act in good faith or that the incorrect recipient even read all of the documents in any detail, and there was therefore no tangible harm or loss as there was no real loss of control of the personal data.

The High Court confirmed that the incident, whilst unfortunate, did not exceed the de minimis threshold and it was swiftly remedied. The High Court struck out the claim, stating that there is no good reason for a trial, as the breach was a trivial one. The High Court strongly cautioned against bringing such claims to the High Court, commenting that “the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown”. The High Court also ordered the Claimant to pay £11,000 of costs to the Defendant.

In the case of Ashley v Amplifon Ltd [2021] EWHC 2921 (QB), the Defendant, a provider of hearing aids, employed the Claimant as a qualified Hearing Aid Audiologist. The breach in this case concerned the disclosure of the Claimant’s contract and terms of employment.

On 21 February 2020 the Claimant made a request for a copy of his terms and conditions of employment. On 26 February 2020, the Defendant’s human resources department sent an email, with various contractual documents belonging to the Claimant, to a person with an identical first name, who also was an employee of the defendant and in the same field, albeit in a different office. According to the Claimant, on 28 February 2020, the recipient emailed the Claimant directly confirming receipt of his documents, to which the Claimant experienced shock and upset as to the unknown of whether the incident was isolated or wide-spread. The Claimant’s position was that he had heard nothing further other than an email from the Defendant on 28 February 2020, confirming the recipient had deleted the information and the matter had been recorded by the Data Protection Officer. The recipient had confirmed to the Defendant on the same day, that they had deleted the documents (as requested by a phone call with the HR department) and confirmed he had not even opened them.

The Defendant made an application to have the claim struck out and/or for summary judgment, based on the negligence claim lacking injury, loss or damage, and asserting that there was no breach of confidence – points that the High Court agreed with on the basis that the incorrect recipient swiftly remedied the situation, and that they were confident the de minimis threshold had not been exceeded.  The High Court noted that this was a one-off data breach swiftly remedied (referring to the Lord Chancellor’s words in Lloyd v Google).

The High Court concluded that the these factual errors and trivial breaches should be dealt with in the County Court, since the right to litigate even for modest sums and to vindicate rights, should be included in the general access to justice.

The stance taken by the High Court in all of these cases is helpful for data controllers.  The High Court has been clear, any claims with a value of less than £100,000 should be presented in the appropriate forum, in these cases the County Court, and using the appropriate track, i.e. the Small Claims Court, and the responsibility of knowing the procedure should remain the Claimants. These cases also encourage Claimants to think about the seriousness of the breach, and reinforces the fact that not every minor breach is one which would lead to a big pay out in damages.   This assists data controllers in combatting what appears to be an increasingly common misconception that relying on a minor breach of data protection is going to be an easy win for Claimants, and provides clarity in an age where technology is continuously advancing and data protection is crucial.  This, when also considered in light of the Supreme Court decision in Lloyd v Google, starts to show the real limits on claims made by data subjects. 

Expert
Graham Mead
Partner
Emma Loveday-Hill
Senior Associate