A Possible End to Trivial Data Protection Claims?
Key Contact: Hugh Hitchcock
Author: Kate Francis-Hughes
Whilst the additional protections offered by the General Data Protection Regulation 2016/279 and Data Protection Act 2018 can be considered a significant step in the right direction as regards autonomy over personal data, questions have to be asked as to the number of individuals taking advantage of these new rules and regulations.
As a firm, we have received countless instructions over recent years defending our clients for what can only be described as trivial infringements of data protection law brought by volume claimant law firms. Recently, the High Court made a landmark judgment which will be a welcome deterrent from these types of claims being pursued, in circumstances where the infringements are not sufficiently serious and have not caused damage.
The factual background of Rolfe & Others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) is like many we have seen previously; a case of an email being sent to the incorrect recipient. In this particular case, a single email containing a formal demand for payment and statement of account was sent to an incorrect recipient. This error was swiftly rectified by the Defendant but the Claimants nonetheless advanced a claim for (i) damages for misuse of confidential information; (ii) breach of confidence; (iii) negligence; (iv) damages until Article 82 of the General Data Protection Regulation 2016/279 and s.169 of the Data Protection Act 2018; (v) a declaration; (vi) an injunction; and (vii) interest and further or other relief.
The Defendant applied for summary judgment seeking the dismissal of the claim on the basis that it was implausible that the Claimants had suffered loss and distress above the de minimis threshold. The Claimants argued that they had lost sleep worrying about the possible consequences of the data breach and that it ‘had made them feel ill’, and that extensive time had been spent by them dealing with this issue.
In his judgment, Master McCloud held that whilst the incident was unfortunate it was “not of a sufficiently serious nature to have caused damage over the threshold”. He continued “incidents such as this occur regularly in organisations throughout the country. Where no harm is caused, or no harm overcomes the de minimis threshold, no cause of action lies, and no claim will succeed. If it were not so, the court would be bound up with such cases every time a minimal error occurred. This is a case of no harm done.”
Master McCloud concluded “we have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it and no evidence of further transmission or any consequent misuse… In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century. In the modern world it is not appropriate for a party to claim for breaches of this sort which are, frankly trivial.”
A similar approach was adopted by Mr Justice Saini in the recent case of Warren v DSG Retail Limited [2021] EWHC 2168 (QB), where the Claimant sought to pursue several unsustainable heads of loss in the likely hope that the sheer volume of losses claimed would lead to the claim being successful, whether in whole or in part. Thankfully, the judiciary saw through this transparent attempt.
We are hopeful that the consistent approach adopted by the judiciary in cases of this nature will cause some comfort to business owners, such that Claimants are unable to exploit the legal system for unwarranted financial gains.
For further information or advice on any of the issues raised in this article please contact our Litigation Team.