Modest data breach not a matter for the High Court

14 Dec 2021

Johnson v Eastlight Community Homes Limited [2021] EWHC 3069 (QB)

In yet another recent High Court decision dealing with a relatively modest data breach the Court has struck out elements of a claim and transferred it to the County Court.

The claimant had issued proceedings in the High Court seeking damages limited to £3,000 in a claim for misuse of private information, breach of confidence, negligence, breach of Article 8 of the European Convention on Human Rights/the Human Rights Act 1998 and breach of the GDPR and Data Protection Act 2018.  The claimant also sought an injunction and declaration. 

This is a familiar cocktail of demands/claims to those who face attritional claims in connection with relatively minor incidents. Whilst there are a number of claimant firms in this space, this particular claim was pursued by Pure Legal (who have historically specialised in this type of claim but have recently gone into administration).

Even though the claim was at an early procedural stage, the claimant's solicitors filed a document confirming that over £15,000 had already been incurred in costs, despite the fact that the essence of the claim was, in the words of the judge “very straightforward”.

Background

The defendant provided low-cost social housing stock and the claimant was one of its tenants.  Another of the defendant's customers requested a rent statement. One of the defendant's employees replied but inadvertently attached a compilation of rent statements of other customers, including the claimant. The third party notified the defendant of the error by telephone, was asked to delete the email and confirmed that they had done so about 2½ hours later. Just less than three weeks after the incident the defendant emailed the claimant to inform her of the error and the fact that the recipient had deleted the information, to apologise and to explain that the matter had been reported to the Information Commissioner's Office. 

The claimant's details appeared at pages 880 – 882 in a document 6,941 pages long.  It was therefore, on the defendant’s case, highly unlikely that the third party had read the claimant's information at all.

The defendant applied to strike out the claim and/or for summary judgment on the basis that the claimant had suffered no loss above the de minimis threshold and that the claim was an abuse of process as any benefit to the claimant outweighed the time and resource involved in dealing with the claim.

The judgment

The information was routine and related to the claimant’s name, address, postcode, account reference number, account balance and details of recent rent transactions. This was “Plainly … not of an obviously sensitive nature in itself” and did not concern matters such as health, sexual relationships or bank details.  Its disclosure could not have given rise to any fraudulent purpose. 

The claimant said that she had moved to her current home in order to escape an abusive relationship and was therefore concerned that the information would “somehow” become known to her former partner even though the chances of this were extremely low.  She also said that it had played upon her pre-existing depression and anxiety.  However there was no personal injury claim.

The judge was plainly sceptical about these assertions as publicly available documents/channels would have enabled the claimant's ex-partner to locate her even if the disclosure had not taken place.  The claimant had not, for example, chosen for her details to be “ex-directory” and her full address appeared on the claim form and her original witness statement. The judge said that “I agree with the defendant’s submission that the claimant’s distress seems more in the realms of the unknown or the hypothetical than in reality. I also treat it as historic rather than current.” .

The claims for non-financial remedies also received short shrift with the judge concluding that “The claim for an injunction seems misconceived”, noting that an injunction was a discretionary remedy usually only granted where it could be demonstrated that the defendant was threatening to commit further wrongs and that:

“There cannot realistically be suggested to exist an ongoing threat to the claimant’s personal data, such as to justify an injunction. The prospect of an award of an injunction seems non-existent. I am quite satisfied the pleading of a claim for an injunction is merely an attempt to add credibility to the claim and to convey a greater impression of its importance. As does, for the same reasons, the claim for a declaration. I recognise no such need.”

The judge expressed the view that the particulars of claim comprised a number of overlapping and “Often inadequately pleaded” causes of action and that “nothing independently by way of entitlement seems to derive for reliance upon Article 8” and that:

"The reference to misuse of private information appears only in the alternative to the Article 8 claim, which I take as a concession that it entirely overlaps with it.  Therefore nothing independent arises from it…”.

The judge said that save for appearing as a reference at the end of the particulars of claim there was:

“No identifiable expressly pleaded claim during upon “breach of confidence” as if an independent cause of action … I therefore entirely disregard it as insufficiently particularised”.  

The judge said that:

“… Taking the claim as a whole, the breach of confidence claim and the claim in privacy fail to satisfy me they add anything useful and independent to the claim arising from the admitted breach of the GDPR...as such, I agree with the defendant’s submission that claims collateral to the GDPR claim are likely to obstruct the just disposal of these proceedings and take up disproportionate and unreasonable court time and costs. They are struck out…

The judge also said “I see no basis for this claim having been issued in the High Court.”. The value certified by the claimant for the claim came nowhere near the requirement for a claim to be issued in the High Court and the specific Rules relating to Media and Communications claims only applied where such claims were already “A High Court claim.”.

However, despite finding that:

“No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may be recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation of this case to-date in this form has, I am satisfied, constituted a form of procedural abuse….”

the judge said that:

            “By a very narrow margin, however, I am satisfied that the real point in this case is whether the claimant's entitlement is to purely nominal or instead extremely low damages."

The judge was also “…Mindful that the court should strive to provide remedy to any litigant if it can" and accordingly said that “The claim ought not to be entirely struck out but instead redirected to the more appropriate forum, the county court" and that:

“Everything about this case has all of the hallmarks of a small track claim that should have been issued in the county court and so allocated.  The suggestion that this is a developing area of law or where, even if principle is established, requires elaborate and complex legal argument is unrealistic if not, at least arguably, opportunistic. “

What this means for you

We have been advising clients for some time to challenge claims where multiple heads of claim have been pursued and, where appropriate, to make concessions in relation to the Data Protection Act claims where these, as tends to be the case, are the primary claim. This also has the collateral benefit of potentially preventing claimants from recovering ATE premiums as these can only be recovered in claims for misuse of private information. This decision vindicates that approach.

We have also been arguing (with considerable success, albeit that a number of cases are ongoing) that these types of claim belong in the small claims track. Decisions such as this plainly assist such arguments and reinforce our long-held view that the High Court is not the appropriate forum for low value data breach cases and that, as the judge clearly identified, claimant firms have been trying to “dress up” such claims in a way that presents them as being far more complex than they really are.

In addition, we have been advising clients for some time that claims for declarations and injunctions in such claims are unsustainable and this decision also reinforces that view.

This decision may well have proved to be frustrating for the defendants as the claim has not been struck out in its entirety and remains live. This reflects our own experience of a very similar application in a very similar case and contrasts with the recent decision in Rolfe v Veale Wasborough .

Nevertheless, the judge's strong comments; the decision to transfer the claim to the County Court and the indication that this claim belongs in the small claims track, will all assist with the wider costs arguments. These, in turn, may, if successful, deter claimant firms and claims funders from pursuing claims such as this as they face the prospect of not being able to recover any costs at all even if the claims are successful.

<< Back

Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.

Related Expertise


Related Sectors


Related contacts


Tim Smith

Tim Smith

Partner and Head of TMT & Cyber Practice Group,
London


Who to contact


For more information about any of our news releases, please contact:

Natalie King
 +44 20 7638 2811
+44 20 7920 0361
Email Natalie

Jo Murray
+44 20 7638 2811
+44 20 7865 4849
Email Jo

|

Not what you are looking for? Click here!