Recent developments in data subject litigation caselaw
This is a decision from November 2021, that has only recently been published. It relates to a contested Case Management Conference in a case involving a personal data breach caused by operational error by the Defendant, rather than a third party attack.
The claim was issued in the High Court after an employee of the Defendant sent a letter, intended to be received by the Claimant, incorrectly by email to one of his colleagues. The Defendant argued that the recipient of the letter had not read the contents and there was no significant harm caused to the Claimant. Both parties accepted that this was an error. There was no factual dispute other than whether the third party had in fact read the letter. The damages claimed were stated to be no more than £3,000.
The Claimant brought the following familiar causes of action :
(1) breach of data protection legislation.
(2) misuse of private information (MPI).
(3) breach of confidence (BOC).
- Allocation - The Claimant's law firm argued that the complexity of the claim meant that it would not be suitable – a common submission. This was. rejected by the Court. The facts were relatively simple and even though it was accepted that data protection law was "not the most straightforward" area of law, that of itself should not prevent it being allocated appropriately based primarily on its value.
It was also argued that the only way of ensuring justice for the Claimant was to enable him to bring a claim in circumstances where his solicitors were able to recover costs – again, a common submission. However, in paragraph 35, the Judge noted that "those submissions raise wider policy issues…they cannot ultimately affect the decisions as to the proper allocation". In this case the Claimant Solicitors had tried to argue that their costs were c.£50,000. The Court responded that "no ordinary litigant would incur £50,000 in order to recover £3,000" (para. 37)
"In my judgment, the circumstances and nature of the Claimant's claim does not justify being allocated anywhere other than the County Court and on the small claims track. That is, in one sense, good news for Mr Cleary. Unless he is guilty of unreasonable conduct, in the small claims jurisdiction he will not be exposed to the risk of any adverse order for cost".
- Claims for error/accidental disclosure or loss of data - Following the decision of Warren v DSG Retail, the position in relation to cyber-attacks has been clear. A Claimant cannot bring a claim for MPI and BOC where the Defendant is a victim of a cyber-attack as both causes of action require a "deliberate act" and for cyber incidents the only acts carried out are by the threat actors. This left potential uncertainty as to claims for accidental disclosure or loss of personal data where the Defendant accidentally uses or misuses the personal data. Paragraph 26 of the judgment in Cleary helpfully stated that "In straightforward cases, like this one, there may be no real dispute about the data breach. If so, little of any substance or real value is likely to be gained by complicating the claim by bringing additional claims for misuse of private information or breach of confidence". Paragraph 27 goes onto note that "data protection offers a straightforward remedy, that avoids getting into areas of whether the Defendant can be said to have "misused" the relevant personal information".
- Declarations as remedies - As is still common, the Claimant sought a Declaration from the Defendant to not misuse data again or breach the UK GDPR again. The Court effectively held that a Declaration in this type of case would be pointless.
We have seen a number of claims for one-off data breaches that arise from "fat finger" errors or documents being sent to the wrong address. Whilst there have been helpful authorities from the Courts in relation to cyber-attacks and the unsuitability of allegations of MPI and BOC in relation to these, due the defendant's involvement in incidents such as misaddressed mail, this has been used in some cases to look to attempt to justify allegations of MPI and BOC along with ATE premiums accordingly. This in turn is being used to pressure settlements including disproportionate costs.
This judgment is a welcome addition to the string of decisions finding that such claims are in fact not complex, should not be costly and should be allocated to the small claims track at the County Court as a result. This is another blow to claimant law firms seeking to take advantage of the publication and privacy proceedings exemption for recovery of ATE and disproportionate costs associated with this.
This is a decision of the Advocate General at the Court of Justice of the European Union. It is not therefore direct authority, but does give a view on how the European Courts will interpret the EU GDPR, which remains in substance the same as the UK GDPR.
The decision was made following a request from the Supreme Court of Austria.
Österreichische Post (OP) AG is an entity that publishes address directories and collected information on political party affinities of the Austrian population. OP collected personal data relating to an individual (who was referred to as UI) to determine his political affinity without consent.
That affinity was not provided to any third party. However, UI complained about the affinity attributed to him by OP and sought compensation of EUR 1,000 in respect of non-material damage.
In accordance with Austrian law, any distress must be of significance before damages can be claimed, potentially comparable to the de minimis threshold in English law.
The Court considered a number of issues, including:
- Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
AG concluded that infringement alone would not justify an award for damages under Article 82 of the GDPR.
As part of the analysis, the concept of "loss of control over data" was considered – with the question being whether such loss of control would of itself give rise to a right to damages under Art 82, GDPR. The same question was considered by the UK Supreme Court last year in Lloyd v Google and it was decided that loss of control was not in of itself enough to justify compensation. The AG reached the same conclusion:
"where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation" (para. 77).
- Is it compatible with EU law for compensation for non-material damage to be dependent upon a minimum level of distress?
This questions concerns the "threshold of seriousness" that was also considered in the Lloyd judgment. At Paragraph 108 the AG confirmed that there should be a threshold of seriousness for non-material damage – effectively consistent with the UK Supreme Court in Lloyd. The AG confirmed, in paragraph 114, that "mere upset" is was insufficient for an award of compensation. In a similar manner to the Supreme Court in Lloyd, the AG provided no clear guidelines on how to determine whether the de minimus threshold had been met, noting "that difficult task falls to the courts of the Member States".
If the ECJ agrees with the decision of the Advocate General, the position in Europe is likely to mirror the position in the UK following the Lloyd decision. It is likely to continue to restrict the ability of claimants to bring claims where a reasonable degree of non-material damage cannot be made out. However, when claims are brought, there is still a potential grey area as to whether the "de minimus" threshold has been met in relation to awards for non-material damage. No doubt this will remain an area of contention until the Courts provide further guidance.