Not so long ago, following the Court of Appeal’s judgment in the seminal case of Lloyd v Google LLC [2019] EWCA Civ 1599, commentators and media outlets predicted an era where organisations would be submerged in a rising tide of US-style ‘class-action’ data breach claims.
On the contrary, 2021 has given us three recent cases which have decisively reshaped the likely future landscape of these claims. They are:
- Darren Lee Warren v DSG Retail Limited [2021] EWHC 2168 (QB)
- Alan Rolfe & Ors v Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB)
- Lloyd v Google LLC [2021] UKSC 50
In the second installment of our data protection claims series, we will be discussing case two: Alan Rolfe & Ors v Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB).
The background facts
The Defendant in this case is a law firm which represented a school to which the first two Claimants owed a sum of school fees. The school had instructed the Defendants to write to the Claimants with a demand for payment. The third Claimant was their child.
An email attaching a letter was sent to the Claimants – but due to a one-letter difference in the email address of the mother, the letter went to a person with an identical surname and the same first initial. That person responded promptly to say the email was not intended for them. The Defendants asked the incorrect recipient to delete the message, and she confirmed that she had done so.
The Claimants pleaded BoC, MoPI, and included claims for damages under Article 82 of the GDPR and s169 of the Data Protection Act 2018. The Defendants sought summary judgment on the basis the claim had no real prospect of success.
The decision
Master McCloud referred to the case law in data breach claims (including the High Court decision in Lloyd v Google), focusing on the usual rule that there was at least a de minimis threshold, with damage/distress in excess of this threshold needed in order to found a claim in the Courts.
The Master asked herself what, given the nature of the breach, the nature of the information and the steps taken to mitigate the breach, was the actual loss or distress that had been suffered – and was this above a de minimis level? [11]
The Master concluded that the case involved minimally significant information, nothing especially personal such as bank details or medical matters, a rapid set of steps taken to ask the incorrect recipient to delete it and no evidence of further transmission or consequent misuse [12].
In the circumstances, therefore, Master McCloud concluded that the claim for distress was not credible. Commenting that in the modern world it was not appropriate for a party to claim, especially in the High Court, for breaches of this sort which are trivial [13], the Master granted summary judgment and the case was dismissed, with costs.
Case comment
Claimants who have experienced very minor data breaches, beware. The effect of this judgment is to reiterate that the Courts will actively consider at an early stage whether the claim falls beneath the threshold of a properly pursuable claim.
If the Claimant has lost nothing other than a trifling amount of information, and ‘no harm has credibly been shown or be likely to be shown’ (as in the Master’s words), then the Claimant is likely to come away without a remedy (and to be punished in costs instead).
The case does also remind organisations how important it is to ensure that the breach is remediated quickly – by contacting the incorrect recipient and ensuring the misaddressed email was destroyed, the Defendants in this case saved themselves from the costs and nuisance of a full data breach claim.