July
Weaver and others v British Airways plc [2021] EWHC 217
This July, British Airways (“BA”) settled its long-running class action dispute with a number of the 420,000 people affected by a 2018 data breach. The settlement terms remain confidential, although we do know that: (a) compensation has been paid to qualifying claimants; and (b) no admission of liability on the part of BA is included.
The ICO separately imposed a fine of £20 million upon BA last year for the breach (heavily reduced from the initial £183 million announced following representations from BA).
Key takeaways:
- Whilst not as common as in the United States, representative actions can occur in the English (and wider UK) courts and companies should be alive to the risks of this (although the scope for making such actions in respect of data breaches has been reduced by subsequent case law – see Lloyd v Google below).
- Even where claims settle, data breaches of this size can lead to litigation lasting several years and ultimately are highly likely to lead to some expenditure on the part of data controllers (whether in settlement fees or in legal fees, or indeed both). Taking action to prevent data breaches before they occur therefore remains the optimum solution.
Warren v DSG Retail Ltd [2021] EWHC 2168
This case concerned a claim of low value brought against DSG Retail Ltd (“DSG”) following a cybercrime-induced data breach, alleging breach of data protection law and confidence, negligence and misuse of private information on the part of DSG. DSG was however successful in its application for summary judgment and an order striking all out causes of action (except breach of data protection law).
It was held that claims in breach of confidence and/or misuse of private information cannot succeed without “use” or “misuse” of information by a defendant (which do not include omissions such as failures to secure data), whilst the claim in negligence failed because it was held that where statutory duties are in place, there is no need to impose a duty of care.
Key takeaways:
- Attempts to ‘augment’ what should be a clear claim for breach of data protection law with various other heads of claim are less likely to be successful.
- Limits recoverability of After-The-Event (“ATE)” insurance premiums which had been common for claimants in low-value data claims typically for breach of confidence and misuse of private information claims to cover their costs and to pressure defendants into settling (and in paying more money to settle) by having to factor in ATE premiums when considering their costs liability. Since it is no longer clear that ATE premiums will be recoverable in such cases, claimants will need to give greater thought to purchasing this (particularly where cases involve data breaches) which may reduce the number of claims in which this tactic is deployed by claimants.
- Expected to impact the allocation of such claims, which have often recently been commenced in the Media and Communications Claims List of the High Court. Where significant damages relating to claims of misuse of private information and/or breach of confidence cannot be alleged alongside relatively small sums (if any) arising from breaches of data protection legislation, it may well be harder for such cases to avoid being allocated to the small claims track of the relevant county court (where, of course, it is not generally possible to recover costs).
August
Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427
This case concerned whether representatives appointed under Article 27 of the GDPR (“Representatives”) can be held liable for the breach of the respective data controller.
An individual claimant brought a claim against LexisNexis Risk Solutions (the designated Representative of U.S. company World Compliance Inc. (“WorldCo”), the controller of a database containing millions of individuals’ profiles), arguing that WorldCo’s processing of his personal data to produce such a profile was in breach of the GDPR. Conversely, the defendant applied for the claim to be struck out (or alternatively for summary judgment) on the grounds that a Representative could not be held liable for the actions of a controller (from which the remedies sought needed to be obtained).
The court held for the defendant that no such liability existed, as (a) the GDPR would have referred to ‘representative liability’ “more clearly in its operative provisions” had it intended to impose this, (b) Representatives do not have power over controllers or processors “on a day to day basis over how and why data are processed”, and (c) the European Data Protection Board (“EDPB”) guidelines state Representatives are “not responsible for complying with data subject rights”. As such, the remedies sought could only be obtained directly from WorldCo.
Key takeaways:
- Confirmation that representatives are not liable for breaches by the data controller or data processor and remedies should be sought directly.
- Care is needed to ensure representative agreements are drafted appropriately and that parties understand the specific and limited responsibilities of the representative.
- It should be noted that claimant has been granted permission to appeal and so this verdict may change in the future.
October
Rolfe & Ors v. Veale Wasbrough Vizards LLP [2021] EWHC 2809
In this case, the defendant sent an email including a limited amount of claimants’ personal data to a third party by mistake, and as a result, claims were brought against them for misuse of private information, breach of confidence, negligence, and breach of the GDPR and Data Protection Act 2018 (“DPA 2018”), with damages for distress and loss of control of personal data sought. The defendant admitted the error, but argued the incident did not exceed a de minimis threshold for harm.
It was held that, in relation to claims under the GDPR and DPA 2018, no remedy is available to claimants where “no harm has credibly been shown or [would] be likely to be shown” and that “in the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, quite frankly, trivial”.
Key takeaways:
- Claims for distress may need to pass a de minimis threshold, as it was held that in trivial cases “where a single breach was quickly remedied”, “no person of ordinary fortitude would reasonably suffer the distress claimed”.
- Also expected to impact the allocation of claims involving “trivial” breaches of data protection legislation, as the court made clear that the High Court was not the appropriate forum for these (see also Warren v DSG Retail Ltd above).
November
Lloyd v Google LLC [2021] UKSC 50
Mr. Lloyd brought a claim against Google not only on behalf of himself but also on behalf of over four million individuals he claimed were affected by Google’s alleged activities (involving the alleged placing of advertising tracking cookies on iPhones without user consent) and sought to serve the claim on Google out of the jurisdiction in Delaware. In essence, this was a procedural case in which Mr. Lloyd claimed that, under the Civil Procedure Rules, a representative action could be brought by one or more person where others have the “same interest” in the claim on an opt-out basis (i.e. each individual need not agree to be part of the claim in order to be represented in it), and that the court could therefore award damages to each individual represented via a “lowest common denominator” approach (Lloyd suggested £750). Mr. Lloyd further claimed that section 13 of the Data Protection Act 1998 (“DPA 1998”) (the applicable law at the time of Google’s alleged actions), permitted damages to be awarded for the mere “loss of control” of data, even where no pecuniary loss (or distress) had occurred.
There were various appeals but in November of 2021 Google was ultimately successful with the Supreme Court ruling that the “lowest common denominator” approach was not appropriate and that neither damages for “loss of control” of data without any material damage or distress, nor “user damages” are available in claims under section 13 of the DPA 1998. As a result, Lloyd’s claim could not be served on Google (although they may still apply where claims rely upon the tort of misuse of private information).
Key takeaways:
- It is important to remember this is a procedural case in respect of the old data protection regime. However the findings do seem to offer more arguments for pushing back on claims relating to low-level data breaches and may mean that the number of claims of this kind will decrease. In holding that claims for trivial and de minimis breaches are excluded the decision is consistent with the direction of travel that the courts are taking as seen in the other cases mentioned above.
- Where a breach is “non-trivial”, a claimant will only be able to claim damages where they can prove that they have suffered “damage” (as defined under the appropriate legislation). Under the GDPR and DPA 2018, persons whose rights under the GDPR are infringed are entitled to compensation where they have suffered “material or non-material damage”, the latter of which “includes distress”.
- Representative actions of this kind seeking damages are not appropriate for claims of this nature, and whilst these remain possible (i.e. by seeking a declaration of liability, including a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation, with damages then being assessed individually at a later stage), the scope for bringing such claims has now been reduced.
December
HRH Duchess of Sussex v Associated Newspapers Ltd [2021] EWCA Civ 1810
This high-profile case principally concerned articles published in the Mail on Sunday and MailOnline which reproduced a large amount of a personal, hand-written letter written by the Duchess of Sussex to her father in 2018. The Duchess launched a claim against Associated Newspapers (the parent company of the Mail) on the grounds that such publication involved (among other heads of claim), copyright infringement and (on the basis that the letter was a private document) misuse of private information.
In April this year, the High Court granted summary judgment as to the misuse of private information claim, given that the letter was not in the public domain as at the time of publication, was written in a private capacity and sent via courier, and it was clear that the publication was not with the Duchess’s consent. It also found that publication of the letter infringed the Duchess’s copyright in respect of an online draft (as it could not see how the use could be considered fair dealing given the amount of the letter reproduced exceed an “acceptable amount”). In December 2021, this judgment was upheld by the Court of Appeal, which also ruled that the Duchess had a “reasonable expectation of privacy” as to the letter’s contents.
Key takeaways:
- An important reminder that individuals in the public eye are still entitled to a “reasonable expectation of privacy” (although not as strong an expectation as private citizens).
- Also a useful reminder that there are a wide range of items in which copyright can arise. News organisations should therefore take care when reproducing any material in which copyright may arise.
- News organisations should also apply caution where publishing information which has (a) been created in circumstances which may be argued to be private and (b) not previously entered the public domain.
- It should be noted that this ruling may potentially be appealed to the Supreme Court in future.
In-depth 2021-333