Johnson v Eastlight: Another important judgment on de minimis threshold in data protection compensation claims – and other key takeaways

By:

The High Court in Emma Louise Johnson v Eastlight Community Homes Ltd1 declined to strike-out a claim for damages for distress following an isolated one-off data incident which was quickly remedied. In doing so, however, the Court:

  • confirmed that the de minimis concept is equally applicable to claims under the General Data Protection Regulation 2016/679 (“GDPR”) and Data Protection Act 2018 (“DPA 2018”), as it was to claims under the Data Protection Act 1998 (“DPA 98”);
  • held that a claim for injunctive and declaratory relief in circumstances such as those present in this case was misconceived; and
  • offered further welcome dicta on the appropriate forum for the issuance of such claims, transferring the claim to the County Court, and criticising the claimant firm’s conduct.

Background

On 1 September 2020, one of the Defendant's employees sent an email to one of their customers, inadvertently attaching a compilation of rent statements of other customers, which included the Claimant. The attachment was 6,941 pages long and, at pages 880-882, were the Claimant's name, address, and recent rent payments made to the Defendant. The sole recipient of the e-mail immediately notified the Defendant of the error by phone and was asked to delete it, which they did. The inadvertent disclosure, to a single person, lasted less than three hours.

Notification to the Claimant

The Defendant e-mailed the Claimant on 20 September 2020 to inform her of the incident, the fact that the recipient had deleted the information, and that the Defendant had reported the incident to the Information Commissioner's Office (“ICO”) (whilst not accepting the necessity to report it2 ). The ICO subsequently confirmed that no enforcement action would be taken.

The Claim

On 15 March 2021, proceedings were issued by the Claimant in the High Court, seeking damages limited to GBP3,000, for Misuse of Private Information, Breach of Confidence, Negligence, breach of Article 8 of the European Convention on Human Rights; as well as pursuant to Article 82 GDPR, and pursuant to section 169 of the DPA 2018. The Claimant also sought injunctive relief to prevent the recurrence of this type of breach, and declaratory relief stating that the Defendant had breached the principles enshrined in the abovementioned legislation.

Application for strike-out/summary judgment

The Defendant applied for (a) summary judgment on the whole claim under the de minimis principle3 ; (b) to strike out of the whole claim under CPR 3.4(2)(b)4  under the Jameel5 jurisdiction; and (c) to strike out the claim in negligence under CPR 3.4(2)(a)6.

The claim in negligence was discontinued by the Claimant at the hearing of the Defendant’s application and is not considered further in this article7.

The de minimis threshold and Jameel

De minimis threshold

The de minimis principle developed through common law and confirms that whilst damages can, in principle, be recovered and other remedies obtained for breaches of data protection law and common law privacy torts, including simply for the distress caused8, any distress must not be trivial in nature9.

Jameel

Jameel was a defamation case in which the court held that as the damage caused in that case was minimal, and the costs of obtaining it would be disproportionate and to the detriment of the wider public in terms of court resources, "the game is not worth the candle", and the claim was struck out. Jameel is authority for the position that any such claim is an abuse of process and should therefore be struck out.

The Claimant’s position and evidence of distress

The Claimant’s position was that:

  • Jameel only applied to non-statutory torts (i.e. not to a claim under the GDPR/DPA 2018);
  • the GDPR had direct effect and therefore supersedes inconsistent provisions in the common law such as the de minimis principle, and other statutes; and
  • the de minimis threshold had in any event, been crossed.

Court’s view of the compromised data

The compromised data was considered by the Master to be “simply routine” and “not of an obviously sensitive nature”. The Master concluded that:

  1. the Claimant's election to issue her claim in a publicly identifiable form far eclipsed the disclosure by the Defendant; and

  2. the Claimant's distress “seems more in the realms of the unknown or the hypothetical than in reality,” and is “historic rather than current”.

Conclusions on the distress based claim

  1. The Claimant’s contention that Jameel only applied to non-statutory torts was rejected.

  2. The Master, having analysed the statutory provisions which entitle a data subject to damages for pecuniary or non-pecuniary loss under the DPA 9810, firmly rejected the contention that the GDPR overruled prior common law. She concluded that “nothing strikes me as distinct in the wording of Article 82(1) of the GDPR as negates continued application (if appropriate) of Jameel or de minimis principles to a damages claim brought under it”. The Master was also critical of the claims being advanced for damages pursuant to both Article 82 GDPR and Section 169 DPA 2018 – the conclusion being that as both legislative provisions provide for the same relief, claims under both render one or the other otiose.

  3. The Claimant’s witness evidence, which included her name and address (as did the Claim Form), stated that the incident left her “stressed, worried and very anxious” as she had moved to that address to escape an abusive relationship and “had avoided making [her] new address “public” for fear of…contact with [her] former partner11”. This, she contended, meant there was a reasonable prospect in showing that loss and damage had crossed the de minimis threshold, which was a factual issue for trial and made the claim not suitable for dismissal at summary judgment stage12.

Having consider the above, the Master ultimately declined to strike-out the claim/award summary judgment in relation to the claim for distress under the GDPR/DPA 2018.

The other causes of action13

The Master held that “the test for damages on facts such as these is considered in the round, drawing upon all causes of action as relied upon. There is no separate or sequential process of assessment14”. The Master concluded that the claims collateral to the GDPR claim were likely to obstruct the just disposal of these proceedings and take up disproportionate and unreasonable court time and costs and were therefore struck out under CPR 3.4(2)(b) (alternatively CPR 3.1(2)(k) and/or (m)15). The High Court had adopted a similar position in Warren16  (which we wrote about here).

Of particular note is the Master’s criticism of the Claimant’s assertion that the value of damages cannot be predicted at this stage because the assessment of loss required a consideration of the Defendant's organisational and internal procedures (and which would potentially be an aggravating factor if these were identified as falling short of the required standard under the GDPR). That position, she held, “seems ambitiously to inflate any realistic value the claim has…[and] such matters would not only be unknown to the Claimant but more particularly could never increase or aggravate her subjective distress or perception of loss.

Injunctive and Declaratory Relief

On the facts, the Master concluded that the claim for an injunction was misconceived and the prospect of an award of an injunction non-existent. This was because:

  1. an injunction is a discretionary remedy granted usually only where it is demonstrated a defendant threatens to commission further torts17 ;

  2. there is no evidential basis put forward to maintain that this was anything other than a one-off error; and

  3. there cannot realistically be suggested to exist an ongoing threat to the Claimant's personal data, such as to justify an injunction.

It was, in the Master’s view, “merely an attempt to add credibility to the claim and to convey a greater impression of its importance”. The same view was taken of the claim for declaratory relief. The claim “at best” was for “modest damages”.

Judgment

The Master concluded that:

  1. There was no basis for having issued the claim in the High Court. The presentation and processing of this case in this forum constituted a form of procedural abuse.

  2. The real point in this case was whether the Claimant's entitlement is to purely nominal or extremely low damages. Mindful that the court should strive to provide a remedy to any litigant, the claim ought not to be entirely struck out but instead redirected to the more appropriate forum, the County Court.

The claim was therefore transferred out of the High Court and allocated to the small claims track.

Comment

Whilst the decision of the Master in not striking out the claim in its entirety is somewhat surprising, the conclusions drawn are reassuring and the decision is the first reported case which confirms that the Jameel and de minimis principles continue to apply to claims under Article 82 of the GDPR / DPA 2018. It also continues the recent helpful lineage of case law in the High Court in Warren (see here) and Rolfe18 (see here).

The Judgment is critical of claimant firms who layer multiple causes of action in what are simply claims arising from trivial data incidents: such an approach is “simply unacceptable”. The case was, according to the Master, “a Small Claim Track claim that should have been issued in the County Court and so allocated19” . The overt criticism of the level of costs both incurred and budgeted by the Claimant should both serve as a stark warning to claimant firms and offer a further beacon of hope to businesses facing such claims that they do not represent the pot of gold at the end of the claimant data breach rainbow.

The clouds have parted, and the sun is beginning to shine.


1 [2021] EWHC 3069 (QB).
2
 Notification of a data incident to the ICO is required in the event that an incident creates a risk of a harm to a data subject (see Article 33 GDPR). Notification to a data subject is required in the event of a high risk to the data subject (see Article 34 GDPR). Here, the risk to the data subject appears to have been negligible at best and the decision to notify the data subject, and report the incident to the ICO, on the Defendant’s own case, is questionable.
3
 Helpful guidance as to the de minimis threshold was set out in TLT & Ors. -v- (1) The Secretary of State for the Home Department (2) The Home Office [2016] EWHC 2217 (QB).
4 CPR 3.4(a) and (b) provide a power for the Court to strike out a statement of case or a part of a statement of case if it appears to the court that (a) the statement of case discloses no reasonable grounds for bringing or defending the claim; or (b) the statement of case is an abuse of the court’s process or is otherwise likely to obstruct the just disposal of the proceedings..
5 From Jameel v Down Jones & Co Inc [2005] EWCA Civ 75.
6 See footnote 4, above..
7 The Master was highly critical of the Claimant for the lateness of this concession: see [16] of the Judgment. .
8 Vidal-Hall v Google [2016] QB 1003.
9Per Sir Geoffrey Vos at [55] in Lloyd v Google [2020] QB 747.
10As extended in Vidal-Hall.
11This is notwithstanding that her location was publicly available online and her details were not “ex-directory”. She also accepted that the risk of contact was “extremely low”, but that it had “played upon her pre-existing depression and anxiety.”.
12An application for summary judgment under Civil Procedure Rule Part 24 is not a 'mini trial' and should take into account material reasonably likely to be before the court at trial and need not take current evidence at face value if it is contradictory or inherently implausible: a long line of authorities is cited at paragraph 10 of the Judgment.
13Being the claims for breach of Article 8 ECHR, Misuse of Private Information and Breach of Confidence (the claim in negligence having been discontinued)..
14TLT – see footnote 3, above..
15CPR 3.1(2) lists the court’s discretionary powers which include the power to (k) exclude an issue for consideration, and/or (m) take any other step or make any other order for the purpose of managing the case and furthering the overriding objective..
16Warren v DSG Retail Limited [2021] EWHC 2168 (QB).
17Monir v Wood [2018] EWHC 3525 (QB) at [237].
18Rolfe & Others -v- Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) .
19It is very likely that these claims would not be commercially viable if issued in the Small Claims Track, as the claimant’s costs are generally not recoverable above a low fixed threshold.