Over recent years, the number of claims presented for breaches of the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) have increased significantly, many claims being presented in the High Court (after commencing in the Pre-Action Protocol for Media and Communications Claims) despite the limited sums claimed in damages.
The Claimant presented a claim following a data breach by the Defendant which had mistakenly sent a compilation of rent statements relating to some of its customers to a third-party by email. The Claimant’s personal information appeared on pages 880–882 of the 6,941 page document.
The third-party, the sole recipient of the email, immediately notified the Defendant of the error by telephone and after a request was made by the Defendant, confirmed that it had been deleted within three hours.
On 15 March 2021, the Claimant issued proceedings in the High Court’s Media and Communications List seeking damages capped at £3,000. The Claimant sought damages for the misuse of private information, breach of confidence, negligence, breach of Article 8 of the European Convention of Human Rights, as well as damages pursuant to Article 82 of the GDPR and damages under the DPA.
The Claimant also sought injunctive relief to prevent the recurrence of the breach and declaratory relief stating that the Defendant had breached the principles enshrined in the legislation.
The Defendant admitted a purely technical breach of Article 5(1) of the GDPR and applied to the Court for the claim to be struck out, contending that the Claimant had suffered no loss or damage above the de minimis threshold and even if damage were to be found above the de minimis threshold, the ‘game was not worth the candle’.
While the Claimant claimed to be concerned about the disclosure of her address but acknowledged that the chances of her former partner receiving the information were extremely low, the Judge, Master Thornett, noted this was inconsistent with her not applying for her address to be kept private in the proceedings.
The Claimant abandoned the negligence claim during the application hearing. The Master then struck out all claims save for the GDPR claim on the basis they were collateral to the GDPR claim and were likely to obstruct the just disposal of the proceedings and take up disproportionate and unreasonable court time and costs.
Master Thornett was mindful that the Court should strive to provide a remedy to any litigant it can, and therefore the GDPR claim was left to survive. However, the Master directed that the remainder of the claim should be transferred to the more appropriate forum, the County Court, noting that the case had “all the hallmarks of a small claims track claim that should have been issued in the County Court and so allocated”.
Crucially, the Claimant’s suggestion that the data breach claim was brought in “a developing area of law or where, even if principle is established, requires elaborate and complex legal argument” was dismissed as “unrealistic if not, at least arguably, opportunistic”.
Master Thornett was clear that such cases could be found daily in virtually every County Court and the “lure of adopting a more elaborate and more expensive approach just because the subject matter can so permit is simply unacceptable”.
The Claimant had served a costs budget seeking costs in excess of £50,000. The Master noted that no “serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of significant adverse Costs Order following High Court litigation if unsuccessful, for a damages claim less than £3,000.” In a damning judgment, Master Thornett noted that the presentation and processing of the case in the High Court constituted a “form of procedural abuse”.
Lessons to be learnt
This judgment clarifies this area of law for organisations and insurers facing low-value data breach claims.
The High Court has given a clear decision that breach of confidence, misuse of private information and other causes of actions that are advanced in low-value data breach claims are simply collateral to a GDPR claim, are likely to obstruct the just disposal of proceedings and take up a disproportionate and unreasonable amount of Court time and costs. The High Court has seen through the tactics of sophistry that are advanced for the purposes of escalating costs or inflating complexity.
With the significant simplification of such claims to a GDPR claim only, the High Court’s direction is that claims like these ought to be transferred to the County Court where they may be suitable for the small claims track in which limited fixed costs are recoverable.
Further, in the absence of any misuse of private information or breach of confidence claim, the action can no longer be presented as ‘publication and privacy proceedings’ thereby preventing the recovery of any ATE premium purchased by the Claimant.
While there had already been judicial movement towards this position in cyber security breach claims (Warren v DSG Retail Ltd 2021) this decision supports arguments that ATE premiums should not be recovered in low-value breach claims, whether due to the actions of cyber criminals or an accident.
This decision assists defendants in low value data breach claims in minimising their costs exposure while preserving access to justice and the right for claimants to pursue a remedy from the Court, albeit within the confines of the small claims track. Organisations facing similar low value claims will welcome the positive outcome in Eastlight.
Hans Allnutt, Astrid Hardy and Millie Bailey of DAC Beachcroft represented the Defendant in Johnson.