Reed Smith In-depth

As with our 2021 roundup, in this article we look beyond the fines and regulatory guidance to focus on the data protection and privacy developments in UK case law over the previous year. Whilst we may not have seen decisions as fundamental as 2021’s Lloyd v. Google [2021] UKSC 50 (Lloyd v. Google), 2022 case law has built on these precedents and provides guidance on other distinct and important issues (such as the amount that claimants may expect to be awarded for successful claims for compensation under data protection laws, and the courts’ potential views on group litigation orders). We have also seen the UK data protection regulator, the Information Commissioner’s Office (ICO), refer to non-data protection related case law in formulating its position on data protection compliance, showing that litigation and privacy practitioners need to take a broad view in keeping up to date on relevant developments.

January

Stadler v. Currys Group Limited [2022] EWHC 160 (QB)

This long-running case concerned claims brought against Currys Group Limited (Currys). Currys sold Mr Stadler’s used smart TV to a third party (after he had returned it to Currys without logging out of various installed apps), resulting in a movie being purchased through Mr Stadler’s Amazon Prime account. Despite Currys reimbursing him the balance (£3.49) and giving him a £200 goodwill voucher, Mr Stadler chose to pursue Currys for misuse of private information, breach of confidence, negligence and breaches of the UK GDPR and the Data Protection Act 2018 (DPA 2018), seeking damages totalling £5,000.

It was held that:

  • In line with the decision in Lloyd v. Google that damages for non-trivial breaches were not recoverable under the Data Protection Act 1998 (DPA 1998) unless there was proof of material damage (or distress), the same “appeared to apply equally” to equivalent claims under the UK GDPR; and that, per Rolfe & Ors v. Veale Wasbrough Vizards LLP [2021] EWHC 2809, a de minimis threshold needed to be passed before claims for distress alone could be successfully brought. Consequently, these claims were dismissed.
  • Following case law such as Warren v. DSG Retail Ltd [2021] EWHC 2168 (Warren v. DSG), the High Court was not the appropriate forum for low-value data claims, with Lewis J also criticising attempts to overcomplicate what was at its heart a simple claim in order to justify this.
  • Upholding the precedents set in Warren v. DSG, the claims for misuse of private information and breach of confidence were struck out (as these must involve active “use” or “misuse” of information by a defendant, not just omissions), as was the claim for negligence (given that, where statutory duties are in place, there is no need to impose a duty of care).

Key takeaways:

  • The judgment provides precedent for applying Lloyd v. Google’s requirements for bringing a successful compensation claim under the DPA 1998 to equivalent claims under the UK GDPR (though unlike Lloyd v. Google, this is not a Supreme Court case and so higher courts could rule otherwise in future).
  • The judgment also supports the precedent set by Rolfe & Ors v. Veale Wasbrough Vizards LLP [2021] EWHC 2809 regarding de minimis thresholds for distress claims (as an aside, a similar decision has also been reached preliminarily in the EU by Advocate General Campos Sanchez-Bordona in the CJEU case of UI v. Österreichische Post AG (Case C-300-21) in October 2022, holding that harm alleged in data breach claims must go beyond “mere upset” to be actionable).
  • Attempts to ‘augment’ what should be a clear claim for breach of data protection law with various other heads of claim are even less likely to be successful, with multiple decisions now finding against this practice. This also further limits the recovery of after-the-event (ATE) insurance premiums, which had been common for claimants in low-value data claims typically for breach of confidence and misuse of private information claims, to cover their costs and to pressure defendants into settling (and into paying more money to settle) by having to factor in ATE premiums when considering their costs liability – and as such premiums may well no longer be recoverable in such cases, claimants will need to give more thought to purchasing this, which may well reduce the number of similar claims brought in practice.
  • Further increases the likelihood of similar claims, which have often recently been commenced in the Media and Communications Claims List of the High Court, instead being allocated/re-allocated to the small claims track of the relevant county court (where it is not generally possible to recover costs).