As the data protection compensation claim landscape develops in the UK, the High Court in the case of Warren -v- DGS Retail Limited  EWHC 2168 (QB) has given useful guidance as to the appropriate heads of claim. The decision appears to begin to apply the brakes on what has otherwise been an accelerating claims market around infringements of the data protection legislation.
In January 2020, the Information Commissioner’s Office (the UK data protection regulator) issued a monetary penalty on the defendant in this matter. The monetary penalty was on the basis that the defendant had been subject to a significant cyber attack, following which the ICO determined that the defendant had been in breach of the requirements around cyber security set out under the Data Protection Act 1998.
In May 2018, the data protection landscape shifted into the world of the EU General Data Protection Regulation (GDPR). While the core requirements under the GDPR around cyber security are unchanged – that the controller is required to ensure “appropriate technical and organisational measures” are in place to ensure security – the environment around non-compliance is much harsher. As well as the significant strengthening of the ability of the ICO to impose penalties in eye-watering sums, the GDPR allows for a direct right of compensation for infringements of the legislation.
Article 82(1) of the GDPR sets out that: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.
That aspect of the GDPR, coupled with the availability of awards of damages for distress alone for infringements of data protection legislation set out in the Court of Appeal judgment in Vidal-Hall -v- Google Inc  EWCA Civ 311, has led to a burgeoning, but already significant, market around data protection compensation claims.
We are increasingly supporting clients with data protection compensation claims of which there are some that are arguably justifiable and worthwhile claims, but many of which relate to trivial claims brought by volume claimant law firms or claims management companies.
Clients are often keen to settle these claims, to avoid the publicity and glare of the court room. Rather worryingly, we are increasingly seeing the legal costs incurred by the claimant firms being in sums that can routinely be anywhere between five and ten times the value of the settlement. The firms often require reimbursement of those costs before settlement can be reached.
The Supreme Court is currently grappling with these sorts of issues in the appeal in the Lloyd -v- Google case (which we have recently written about here).
This High Court judgment in Warren -v- DGS Retail Limited is another attempt by the judiciary to apply some sense of order and rationality to claims of this nature and is an important decision for those who deal with these sorts of case. Sadly, we get the impression that this will therefore be relevant to the majority of our clients.
The causes of action relied upon by the claimants in Warren -v- DGS Retail Limited, were:
- breach of the Data Protection Act 1998;
- misuse of private information;
- breach of confidence; and.
Those causes of action will be very familiar to those who have seen data protection compensation claims as the heads of claim routinely cited.
The application by the defendant was for summary judgment and/or an order striking out the heads of claim relating to breach of confidence, misuse of private information, and negligence.
The claimant was not alleging any positive conduct by the defendant said to comprise a breach or a misuse for the purposes of either a claim for breach of confidence or misuse of private information. The claim was that the defendant had failed in alleged duties to provide sufficient security for the data. Mr Justice Saini held that the availability of the common law torts of breach of confidence and misuse of private information did not impose a data security duty on the holders of information (even if private or confidential). He considered relevant case law to claims for breach of confidence and agreed with the authority that a positive action was required in order for a claim to be made out.
Mr Justice Saini noted that a misuse of private information still required a “use”: that is, a positive action. He rather scathingly noted that the reference to misuse of private information by the claimant was “an unconvincing attempt to shoehorn the facts of the data breach into the tort of [misuse of private information]”.
It was concluded that it was not the defendant that disclosed the claimant’s personal data, or misused it, but the criminal third-party hackers. On this basis, Mr Justice Saini determined that the claims for breach of confidence and misuse of private information had no reasonable prospects of success and also fell to be struck out based on the pleaded case.
Mr Justice Saini considered the issue of a claim in negligence to be similarly problematic, for two reasons: there is no need nor warrant to impose such a duty of care where the statutory duties under the Data Protection Act 1998 operate; and, a claim in negligence could only succeed where damage had been suffered and a state of anxiety falling short of a clinically recognisable psychiatric illness does not constitute damage for these purposes. On that basis, Mr Justice Saini determined that the claim in negligence fell to be dismissed and/or struck out.
The Court therefore dismissed and/or struck out all claims except for the breach of statutory duty in relation to the obligations around cyber security under the Data Protection Act 1998.
We are now seeing an increasing frequency of claims being brought against clients following cyber security incidents and it is commonplace for the claim to be “loaded” with multiple heads of claim in this way. It may be that claimant law firms have felt that this approach may act as a multiplier on any eventual award of damages. Where the basis of the claim is a cyber security incident, we have consistently argued that the claim is a simple claim with reference to the Data Protection Act 1998 and that the various common law torts do not add anything to the claim and are inappropriate.
The judgment by Mr Justice Saini is very useful and confirms the approach that we have taken in these cases. Forcing the claimant firms to strip their cases back to basics - that a cyber security incident has occurred and their client is distressed as a result and seeks damages for that distress under the data protection legislation – should help all parties see the claims for what they are and come to more sensible outcomes.