Further Guidance on Quantum for Data Breach Claims 

October, 2022 - Shoosmiths LLP

In another helpful judgment for defendant organisations handling large amounts of personal data, Driver v CPS provides guidance on the quantum of data breach claims where the claimant has suffered distress but not provided medical evidence.

The court awarded £250 as the data breach was at "the lowest end of the spectrum", which may indicate where the de minimis threshold for such cases lies and is often a hotly contested point in data breach claims. Whilst the quantum award was low, it holds significance for organisations facing mass actions or many individual claims as, coupled with often disproportionate costs of claimant firms, such claims can lead to significant liabilities.

Background

Driver v CPS follows a suite of helpful High Court cases (see our previous articles below), which establish several key points for this rapidly evolving area of law. These include that:

  • Mass claims for data breaches require claimants to show that all prospective claimants have the “same interest”, which the Supreme Court recently held was not met in a claim brought against Google on behalf of 4.4 million iPhone users (Lloyd v Google).
  • Non-statutory data claims (i.e. breach of confidence and misuse of private information actions) do not impose a wider general data security duty, nor is there a wider duty of care for negligence claims (Warren v DSG).
  • Speculative distress-only claims may fall under the de minimis threshold and lead to indemnity costs being awarded against claimants (Rolfe v Veale).

The cases have often indicated that low risk, distress-only data breach claims should be allocated to the small claims track, regardless of the alleged complexity of the issues (Johnson v Eastlight). This has key implications for claimant firms, as the scope for recovery of (often disproportionate) costs is very limited, including where claims are funded by After the Event insurance and/or where Part 36 offers have been made.

Decision

In Driver v CPS, the claimant was a local politician who had previously been linked to a police operation looking into local government corruption, details of which were in the public domain. Responding to a member of the public’s request for an update on the investigation, the CPS stated in an email:

“A charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration. At this stage I am unable to provide you with any more detail.”

The recipient then sent the email to a small number of third parties, including the media.

Whilst not naming Mr Driver, the email, the court held, sufficiently amounted to a breach of the Data Protection Act 2018 (“DPA 2018”) because it constituted unlawful processing of his personal data. However, owing to the information adding little or nothing to what was already in the public domain and so that it could not have had the effects claimed, the court awarded him only £250.

Key points

Driver v CPS has several distinguishing features:

  • As the matter concerned processing for law enforcement purposes, the applicable regime was under the DPA 2018, not the GDPR (being the EU GDPR owing to when the data breach occurred).
  • A claim in misuse of private information failed because the claimant had no reasonable expectation of privacy as the relevant information was already in the public domain. The email added little or nothing to that which was already known, and there was no evidence that some recipients ever read it.
  • The claimant sought up to £2,000 in compensation, being damages for distress but not for personal injury (and no medical evidence was provided, though the claimant had consulted his GP).

These points may be familiar to defendant organisations facing similar claims under the UK GDPR or on non-statutory bases, and they provide welcome guidance that, ultimately, the claimant could only have suffered “a very modest degree of distress” in the circumstances, such that “this data breach was at the lowest end of the spectrum”.

Unanswered questions

Responding to the above case law, the latest trend claimant firms follow is to bring claims for technical breaches of the UK GDPR and/or the DPA 2018, bolster the claims with non-statutory misuse of private information and/or breach of confidence claims, but, unlike Mr Driver, to immediately seek medical evidence on behalf of the data subject. Driver unfortunately did not consider such claims because no medical evidence was provided. Providing medical evidence may have significant consequences because damage on account of personal injury could exceed the current £1,500 personal injury threshold for small claims, such that the claims may be allocated to the Fast Track and have associated (much greater) costs consequences for the losing party.

However, the impact of medical evidence on data breach claims has not been fully tested in a reported judgment. Unreported cases of junior courts (which state they have no precedent value) indicate this is an uncertain area, and some cases have proceeded on the basis that the medical evidence indicates the small claims personal injury threshold is passed, which, pending the introduction of a new fixed costs regime for Fast Track cases (tipped to be introduced in April 2023), will have possibly significant costs implications for defendant organisations in the short to medium term.

Looking ahead

The disproportionate costs of claimant firms have apparently been the key contention for many data breach claims and is the ultimate focus of many of the claims which have recently been issued. Pending further evolutions in the reported case law, it is yet to be seen how such arguments will fare in practice, and the area is ripe for a precedent-setting judgment. But they are tipped to either lead to the end of the road for claimants’ firms, or greatly increased liabilities for defendants. For now, though, Driver helps to draw a line in the sand for data breaches posing the lowest risk.

 



Link to article

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots