As organisations face an ever increasing volume of civil claims seeking damages for trivial infringements of data protection law, the High Court in Rolfe & Others -v- Veale Wasbrough Vizards LLP  EWHC 2809 (QB) has provided a welcome judgment dismissing such a claim in circumstances where it was implausible that any distress had been suffered.
The claim related to a single email with attachments sent by the Defendant law firm on 17 July 2019. The Defendant represented a school to which the first two Claimants owed a sum of money, and the school had instructed the Defendant to write to them with a demand for payment. The email consisted of a letter and a copy of the statement of account. Due to an error by a Defendant employee, the email was sent to the wrong person. That person responded promptly indicating that they thought the email was not intended for them and thereafter confirmed its deletion.
The Claimants claimed damages for misuse of confidential information, breach of confidence, negligence, damages under Article 82 of the General Data Protection Regulation 2016/279 and s169 Data Protection Act 20181, plus a declaration and an injunction, interest and further or other relief. This is the usual “kitchen-sink” style approach claimant firms adopt in such claims and one that we frequently encounter.
Application for summary judgment
The Defendant applied for summary judgment, seeking dismissal of the claim. This was on the basis that it was simply not plausible that the Claimants had suffered distress above the de minimis threshold2 in relation to the accidental sending of the email to one recipient who quickly deleted it.
The de minimis threshold
It was common ground that damages can, in principle, be recovered and other remedies obtained for breaches of data protection law and common law privacy torts, including simply for the distress caused, without specific pecuniary loss3. Similarly, it was not in dispute that, in principle, loss of control of personal data can constitute damage4. However, there does need to be damage and one cannot succeed in a claim where any possible loss or distress is not made out or is trivial in nature5.
The Claimants argued the threshold had been crossed. This is because they stated that the incident had “made them feel ill” and that they had “lost sleep with worry”. This, they contended, meant there was a reasonable prospect in showing that loss and damage had crossed the de minimis threshold, which was a factual issue for trial and made the claim not suitable for dismissal at summary judgment stage6.
Granting summary judgment in favour of the Defendants, Master McCloud held that “there is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.”
Master McCloud considered that the case concerned “minimally significant information, nothing especially personal such as bank details or medical matters.” Further, “rapid…steps” had been taken to ensure deletion by the incorrect recipient (which had been confirmed) and there was no evidence of further transmission or any consequent misuse. The claim was “plainly exaggerated” and it was “frankly…implausible [to suggest] that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.”
The firm tone taken by Master McCloud in granting summary judgment and dismissing the claim is indicative of the High Court’s approach to trivial data breach claims, following hot on the footsteps of the decision of Justice Saini in Warren -v- DGS Retail Limited  EWHC 2168 (QB) (which we wrote about here).
Even post-Warren, a number of duplicative causes of action continue to be referenced by claimant firms in letters of claim and proceedings raised in the High Court notwithstanding the trivial nature of the incident. However, businesses can take further comfort that the clear trajectory of the judiciary is that it will not simply wave through such claims and award damages where no real distress has been caused.
1 The Judgment contains a typographical error and refers to the Data Protection Act 2013.
2 Helpful guidance as to the de minimis threshold was set out in TLT & Ors. -v- (1) The Secretary of State for the Home Department (2) The Home Office  EWHC 2217 (QB)
3 Vidal-Hall v Google  QB 1003
4 Lloyd v Google  QB 747 (Lloyd)
5 Per Sir Geoffrey Vos at  in Lloyd.
6 An application for summary judgment under Civil Procedure Rule Part 24 is not a 'mini trial' and should take into account material reasonably likely to be before the court at trial and need not take current evidence at face value if it is contradictory or inherently implausible: a long line of authorities is cited at paragraph 10 of the Judgment.