2021 has been an eventful year – not least in respect of new case law relating to data protection and privacy, and the significant legal changes many such new cases have brought about. Data protection fines from regulators generally get a lot of attention in yearly updates, but watching the trends in legal judgements in the wider field of privacy is just as revealing and important.
The Supreme Court’s recent decision in Lloyd v Google was the most hotly awaited and most talked about, but there are many others of equal importance and potentially wide-ranging impacts. In general, case law has had a key impact upon the development of data protection and wider privacy law this year, with decisions introducing big changes to key principles that will impact privacy claims in years to come – most notably in limiting un-evidenced claims for trivial distress.
In this article, we set out the key case law developments and takeaway points.
Weaver and others v British Airways plc  EWHC 217
This July, British Airways (“BA”) settled its long-running class action dispute with a number of the 420,000 people affected by a 2018 data breach. The settlement terms remain confidential, although we do know that: (a) compensation has been paid to qualifying claimants; and (b) no admission of liability on the part of BA is included.
The ICO separately imposed a fine of £20 million upon BA last year for the breach (heavily reduced from the initial £183 million announced following representations from BA).
- Whilst not as common as in the United States, representative actions can occur in the English (and wider UK) courts and companies should be alive to the risks of this (although the scope for making such actions in respect of data breaches has been reduced by subsequent case law – see Lloyd v Google below).
- Even where claims settle, data breaches of this size can lead to litigation lasting several years and ultimately are highly likely to lead to some expenditure on the part of data controllers (whether in settlement fees or in legal fees, or indeed both). Taking action to prevent data breaches before they occur therefore remains the optimum solution.
Warren v DSG Retail Ltd  EWHC 2168
This case concerned a claim of low value brought against DSG Retail Ltd (“DSG”) following a cybercrime-induced data breach, alleging breach of data protection law and confidence, negligence and misuse of private information on the part of DSG. DSG was however successful in its application for summary judgment and an order striking all out causes of action (except breach of data protection law).
It was held that claims in breach of confidence and/or misuse of private information cannot succeed without “use” or “misuse” of information by a defendant (which do not include omissions such as failures to secure data), whilst the claim in negligence failed because it was held that where statutory duties are in place, there is no need to impose a duty of care.
- Attempts to ‘augment’ what should be a clear claim for breach of data protection law with various other heads of claim are less likely to be successful.
- Limits recoverability of After-The-Event (“ATE)” insurance premiums which had been common for claimants in low-value data claims typically for breach of confidence and misuse of private information claims to cover their costs and to pressure defendants into settling (and in paying more money to settle) by having to factor in ATE premiums when considering their costs liability. Since it is no longer clear that ATE premiums will be recoverable in such cases, claimants will need to give greater thought to purchasing this (particularly where cases involve data breaches) which may reduce the number of claims in which this tactic is deployed by claimants.
- Expected to impact the allocation of such claims, which have often recently been commenced in the Media and Communications Claims List of the High Court. Where significant damages relating to claims of misuse of private information and/or breach of confidence cannot be alleged alongside relatively small sums (if any) arising from breaches of data protection legislation, it may well be harder for such cases to avoid being allocated to the small claims track of the relevant county court (where, of course, it is not generally possible to recover costs).