Case comment: striking out of privacy and confidence actions in the Dixons data breach case
Darren Lee Warren v DSG Retail Limited [2021] EWHC 2168 (QB)
The number of claims issued in the High Court (Media and Communications List) with a data protection element continues to increase. The rise in claim numbers can be attributed to a number of factors including: (i) individuals becoming more aware of their rights under data protection legislation, (ii) uncertainty as to whether individuals may recover damages for a loss of control of their personal data without proving material damage or distress; (iii) the abundance of specialist law firms who are prepared to act for individuals on a "no-win-no-fee" basis and (iv) the availability of After the Event ("ATE") insurance to protect a would-be claimant against adverse costs orders.
It is the last of these factors that has arguably proved to be the element that has most contributed to this increase in claims. Claims for breach of data protection legislation are not "publication and privacy proceedings" under the Legal Aid, Sentencing and Punishment of Offenders Act 2012 ("LASPO"). As such, claimants are not entitled to recover ATE premiums from defendants in claims for breach of data protection legislation alone. However, to counter this, a common tactic of claimants has been to assert claims in misuse of private information and breach of confidence alongside claims for breach of data protection legislation, in an attempt to bring the claims within the exemption provided by LASPO, and which would in theory permit the recovery of ATE insurance premiums from defendants in the event of a successful claim.
The recent judgment in Darren Lee Warren v DSG Retail Limited provides much needed clarity in relation to the availability of causes of action that are commonly asserted by claimants in pre-action correspondence alongside claims for breach of data protection legislation. It is likely to have a significant impact on the future recoverability of ATE premiums.
What is the case about?
The Defendant, DSG, operates the well-known ‘Currys PC World’ and ‘Dixons Travel’ brands. Between July 2017 and April 2018, attackers infiltrated DSG’s systems and installed malware and thereby accessed the personal data of many of DSG's customers.
The Claimant had purchased goods from a store operated by the DSG and brought a claim alleging that his name, address, phone number, date of birth and email address had been compromised.
What causes of action were advanced?
The Claimant brought a claim for breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“DPA”), and common law negligence. The claim form sought damages of £5,000 in respect of distress.
The Defendant applied for summary judgment and/or an order striking out all causes of action save for the claim relating to the breach of the DPA.
What did the judge decide?
Mr Justice Saini struck out the Claimant's claims in MPI, BoC and common law negligence. We focus on MPI and BoC in this article.
Saini J noted that the Claimant’s claims were all based on the cyber-attack and recognised that the Claimant sought to position the actionable wrong as a ‘failure’ which allowed the attacker to access the personal data, rather than any positive conduct/action on behalf of the Defendant.
The judge characterised the Claimant's contention that the Defendant failed to protect the data as an attempt at articulating some form of data security duty. The judge clarified that neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential) and that instead, both MPI and BoC are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence / privacy.
In respect of BoC, the Saini J drew on caselaw indicating “a negative obligation not to disclose confidential information” and a requirement for "an unauthorised use" of information to establish the tort.
Saini J also characterised MPI as a tort that was developed out of BoC in order to comply with obligations under the Human Rights Act 1998 and cross-referred to the ECHR and the requirement for / to avoid an 'interference' with the Claimant's Article 8 rights.
Crucially, the judge was not convinced by the novel argument advanced by the Claimant that the conduct of DSG was “tantamount to publication”. He described it as an "unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI".
Will this judgment stem the tide of data claims?
The availability of no-win-no-fee agreements together with ATE insurance protection gives an individual whose personal data has been compromised the potential to claim compensation from a data controller arising from, for example, an accidental data breach.
When asserting claims against data controllers for breach of data protection legislation, it has been a common tactic for claimants to also include claims for MPI and/or BoC, in an attempt to take advantage of the exemptions in LASPO for 'publication and privacy proceedings', in theory enabling claimants to recover ATE insurance premiums from defendants in the event of being successful at trial.
Typically in such matters, the ATE premium is considerable when compared to the damages sought, which will often even on the Claimant's own case be relatively low. The prospects of recovery of the premium as legal costs from a data controller will have a significant impact on the decision as to whether to proceed with such claims in circumstances where the damages realistically recoverable are likely to be less than the ATE premium.
Whilst the judgment may not be enough to discourage claimants from asserting claims for MPI and BoC alongside data protection claims, the threat of these claims being struck out (with the prospect of adverse costs orders being made) may make the obtaining of ATE insurance harder to come by or disproportionately expensive. If claimants are unable to obtain reasonably priced ATE insurance premiums, there may be an increased reluctance to issue proceedings given the potential costs risk an individual may be exposed to. This may in the round lead to fewer claims being issued.
It remains to be seen whether there will be a noticeable drop off in claims as result of this judgment although it is likely that this judgment will embolden data controllers to be more robust in their defence of such claims and refuse, for example, to include the costs of ATE insurance premiums as part of any pre-action settlement.
Another important issue for data controllers at present remains whether a data subject may recover damages for a loss of control of personal data without proving material damages or distress. This issue will be resolved in the Supreme Court case of Lloyd v Google in which judgment is expected later this year. RPC supported techUK as an intervening party in the submitting a written intervention in the case.
How can RPC help?
RPC act for a number of data controllers and their insurers, in all aspects of data breach response and in defending data subject claims. For any queries please reach out to a member of the team listed above.