January
Stadler v. Currys Group Limited [2022] EWHC 160 (QB)
This long-running case concerned claims brought against Currys Group Limited (Currys). Currys sold Mr Stadler’s used smart TV to a third party (after he had returned it to Currys without logging out of various installed apps), resulting in a movie being purchased through Mr Stadler’s Amazon Prime account. Despite Currys reimbursing him the balance (£3.49) and giving him a £200 goodwill voucher, Mr Stadler chose to pursue Currys for misuse of private information, breach of confidence, negligence and breaches of the UK GDPR and the Data Protection Act 2018 (DPA 2018), seeking damages totalling £5,000.
It was held that:
- In line with the decision in Lloyd v. Google that damages for non-trivial breaches were not recoverable under the Data Protection Act 1998 (DPA 1998) unless there was proof of material damage (or distress), the same “appeared to apply equally” to equivalent claims under the UK GDPR; and that, per Rolfe & Ors v. Veale Wasbrough Vizards LLP [2021] EWHC 2809, a de minimis threshold needed to be passed before claims for distress alone could be successfully brought. Consequently, these claims were dismissed.
- Following case law such as Warren v. DSG Retail Ltd [2021] EWHC 2168 (Warren v. DSG), the High Court was not the appropriate forum for low-value data claims, with Lewis J also criticising attempts to overcomplicate what was at its heart a simple claim in order to justify this.
- Upholding the precedents set in Warren v. DSG, the claims for misuse of private information and breach of confidence were struck out (as these must involve active “use” or “misuse” of information by a defendant, not just omissions), as was the claim for negligence (given that, where statutory duties are in place, there is no need to impose a duty of care).
Key takeaways:
- The judgment provides precedent for applying Lloyd v. Google’s requirements for bringing a successful compensation claim under the DPA 1998 to equivalent claims under the UK GDPR (though unlike Lloyd v. Google, this is not a Supreme Court case and so higher courts could rule otherwise in future).
- The judgment also supports the precedent set by Rolfe & Ors v. Veale Wasbrough Vizards LLP [2021] EWHC 2809 regarding de minimis thresholds for distress claims (as an aside, a similar decision has also been reached preliminarily in the EU by Advocate General Campos Sanchez-Bordona in the CJEU case of UI v. Österreichische Post AG (Case C-300-21) in October 2022, holding that harm alleged in data breach claims must go beyond “mere upset” to be actionable).
- Attempts to ‘augment’ what should be a clear claim for breach of data protection law with various other heads of claim are even less likely to be successful, with multiple decisions now finding against this practice. This also further limits the recovery of after-the-event (ATE) insurance premiums, which had been common for claimants in low-value data claims typically for breach of confidence and misuse of private information claims, to cover their costs and to pressure defendants into settling (and into paying more money to settle) by having to factor in ATE premiums when considering their costs liability – and as such premiums may well no longer be recoverable in such cases, claimants will need to give more thought to purchasing this, which may well reduce the number of similar claims brought in practice.
- Further increases the likelihood of similar claims, which have often recently been commenced in the Media and Communications Claims List of the High Court, instead being allocated/re-allocated to the small claims track of the relevant county court (where it is not generally possible to recover costs).
February
Bloomberg LP (Appellant) v. ZXC (Respondent) [2022] UKSC 5
In this case, Bloomberg LP (Bloomberg) obtained a confidential letter of request sent to ZXC by a legal enforcement body regarding a criminal investigation and published an article that referred to the fact that information had been requested of ZXC and the issues it was being investigated for. ZXC succeeded in a High Court claim for misuse of private information against Bloomberg, which Bloomberg appealed first to the Court of Appeal (which was dismissed) and then to the Supreme Court.
The Supreme Court held that ZXC had a reasonable expectation of privacy in a police investigation up to the point of charge and that, in this case, the right to freedom of expression did not outweigh this. Consequently, it found in favour of ZXC’s claim, awarded it £25,000 in damages, and granted an injunction preventing Bloomberg from publishing its article of the information in question further within the jurisdiction.
Key takeaways:
- Amongst a range of case law this year emphasising the dangers of pursuing claims for misuse of private information without sufficient grounds, this case is a useful reminder that, in the right circumstances, misuse of private information claims can still be successfully brought – and may also require the payment of non-trivial damages sums.
- The Supreme Court also noted (with respect to comments made by the Court of Appeal) that, although information may be both private and confidential, the causes of action for misuse of private information and breach of confidence are distinct. It will be interesting to see how this affects claims in which both heads of claim are pursued (and particularly where both are brought alongside further claims and without clearly differentiating between the grounds for each different head of claim).
- Interestingly, the ICO’s Draft Journalism Code of Practice cites the High Court judgment as a case which is useful for data controllers in considering the lawful use of personal data under data protection laws, despite the case itself not concerning a data protection claim. The draft ICO code refers to the case in emphasising that the starting point should be that “a suspect has a reasonable expectation of privacy regarding investigations, including the fact that there is an investigation”. It is useful to remember that a data regulator will look at related privacy case law at least in providing guidance, even where it is not an action brought specifically under the laws which it regulates.
May
Smith v. TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB)
This case concerned data breaches occurring in 2014 and 2015 that resulted in the ICO fining TalkTalk. The claimants (of which there were 385 in total, constituting both actual and potential TalkTalk customers) brought claims for misuse of private information and for compensation under the DPA 1998, on the grounds that TalkTalk’s measures to protect their personal data were insufficient and enabled third parties to access and fraudulently use this. Following Warren v. DSG, the claimants also sought to amend their particulars of claim to argue that TalkTalk’s security failures themselves constituted “acts”.
Saini J struck out and dismissed the claim for misuse of private information, since (per Warren v. DSG) this was based on TalkTalk’s alleged security failures as opposed to its “positive act” of “use” or “misuse”, and characterised their claim as “a negligence action masquerading as a claim for MPI”. The court did concede that a data breach had occurred on the facts, but this did not constitute a breach of data protection law.
Key takeaways:
- Further precedent making clear that claimants should think carefully about the appropriate heads of claim to bring as opposed to trying to bring multiple (or the wrong) heads of claim – with the same implications for ATE insurance as mentioned above.
- Demonstrates the importance of being able to evidence “use” or “misuse” of information by the defendant before attempting to bring a claim for misuse of private information (and further 2022 judgments have re-emphasised this – see, for example, Underwood & Anor v. Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust [2022] EWHC 888 (QB), with very similar findings).
- Also shows the importance of being able to evidence and establish actual breaches of data protection law – part of the difficulty with the claimants’ DPA 1998 claim was that it was based on “unconfirmed breaches” (with the claimants arguing that these must have occurred at some unspecified point in time), which did not find favour with the court.
June
Bennett & others v. Equifax Ltd [2022] EWHC 1487 (QB)
This case in fact concerned several cases arising from a data breach involving 700,000 data subjects by Equifax Ltd (Equifax), which was issued in 2017 with an ICO fine under the DPA 1998 totalling the maximum amount possible (£500,000). Of that 700,000, over 100,000 had issued claims, and the claimants consequently sought a group litigation order (GLO) (a method of litigating multiple claims distinct from representative actions such as that dismissed in Lloyd v. Google). Equifax opposed this, arguing that preliminary causation and loss issues should first be determined, as it would be disproportionate to proceed with a GLO if most of the claims in question had little to no worth.
Although the key issue was not decided (and instead was referred for consideration by a judge at a Case Management Conference), the senior master did make obiter comments seeming to sympathise with concerns raised by Equifax and suggesting that “it may be unlikely that the entirety of the Claimant cohort will be able to establish either financial loss or distress to enable compensation to be awarded”.
Key takeaways:
- Suggests that the issues with multiple data claims where it cannot be evidenced that each individual has suffered damage (one of the reasons for the failure of the representative action claim in Lloyd v. Google) may also apply to other forms of group litigation such as GLOs (though it should be emphasised that these comments were non-binding)
October
Driver v. Crown Prosecution Service [2022] EWHC 2500 (KB)
This case, one of the first data cases in the King’s Bench Division (as the Queen’s Bench Division became in September), concerned the former leader of Lancashire County Council who, having been informed that he was no longer a suspect in a police investigation into local government corruption (and making press statements stating this) then became the subject of investigation again. The CPS subsequently emailed a third party (and political opponent of Mr Driver), stating that a charging file had been referred to it for consideration (but did not mention Mr Driver’s name in its email). The recipient shared the email more widely, and Mr Driver brought claims under the UK GDPR and DPA 2018 and for misuse of private information (as well as claims under the Human Rights Act 1998 and of negligence which were ultimately not pursued) on the basis that the email had caused him distress, seeking damages of up to £2,000.
This case is notable because it is one of the few to involve an actual award of damages as compensation for a breach of data protection legislation. The court dismissed the claim for misuse of private information but did find (as the CPS originally admitted, although they then attempted to deny at trial) that a personal data breach had occurred and that this constituted a breach of the DPA 2018, awarding Mr Driver £250 in damages.
Key takeaways:
- A useful indication of the likely size of damages that courts will order where compensation is found to be payable under data protection laws. Given that the claimant had sought “damages not exceeding £2,000”, the decision to make an award totalling just 12.5 per cent of that total is noteworthy.
- It should be noted that the court described this breach as being “at the lower end of the spectrum” (and so more serious breaches may result in higher sums being payable). Equally, the CPS’s decision to attempt to deny at trial that a breach had occurred despite it having previously admitted to this may have also influenced the award of damages on this occasion.
- The failure of the claim for misuse of private information (due to the relevant information already being in the public domain) evidences additional hurdles beyond those covered in the above cases to successfully bringing such a claim.
In-depth 2023-007i