Data breach claims: a case law update for businesses

Further case law has arisen in the data protection landscape, adding to the series of Defendant friendly Court decisions over the past year. It is becoming increasingly difficult for claims management firms to litigate data breach claims proportionately.

Stadler v Currys Group Ltd

In Stadler v Currys Group Ltd, Currys sold a refurbished television that had previously belonged to Mr Stadler. Currys failed to wipe the information from the television and the new purchaser of the television was able to purchase a movie using Mr Stadler’s Amazon account. Mr Stadler had also failed to wipe his information from the television. Currys refunded Mr Stadler for the movie purchased and provided him with a £200 shopping voucher as a gesture of goodwill.

Despite the above, a claim was issued in the High Court for misuse of private information, breach of confidence, negligence and breach of data protection. Mr Stadler sought £5,000 in damages. This is claim that would usually be dealt with using the most simple Court procedure in the County Court. This is called the Small Claims track, used for claims up to £10,000 in value.

The Court decided that there was no evidence that Currys had any actual knowledge of the information in question or made use of it. It therefore followed that there cannot have been any unauthorised use (or misuse) of Mr Stadler’s information by Currys. The claims for misuse of private information, breach of confidence and negligence were struck out.

The surviving data breach claim was recommended to be re-allocated to the Small Claims track once transferred to the County Court. The usual “loser pays the winner’s costs” rule does not usually apply in the Small Claims track, so this severely restricted Mr Stadler’s potential cost recovery even if his ongoing claim was successful. The judge criticised him for issuing the claim in the High Court determining that it was not proportionate to have done so. In other words, the Claimant was criticised for spending over £10,000 on legal fees when the damages awarded would be significantly less (if any damages were awarded at all). There was no financial loss and therefore, a certain threshold of seriousness had to be met to justify any sum being payable.

Underwood v Bounty UK Limited and Hampshire Hospitals NHS FT

Another data controller/processor friendly decision came a few months later. In Underwood v Bounty UK Limited and Hampshire Hospitals NHS FT, Ms Underwood alleged that shortly after she had given birth at the Trust she was approached by a representative of Bounty. Bounty provided pregnancy and antenatal services. Ms Underwood said that, during her discussion with someone from Bounty, personal data relating to her newborn son (his name, gender and date of birth) was obtained without her permission from the medical notes at the foot of the hospital bed.

Bounty went into administration early on in the proceedings as a result of a fine from the Information Commissioner’s Office for data protection breaches. The proceedings against Bounty did not continue and judgment in default was entered.

In the claim against the Trust, it was alleged that it had misused her son’s private information by allowing Bounty access to the hospital ward. In addition, Ms Underwood alleged breaches of the Data Protection Act 1998 (“the DPA 1998”). The incident having occurred in 2017, prior to the Data Protection Act 2018 coming into effect.

The Court ultimately rejected the argument that the Trust had “made available” private information as it had been stored for a legitimate reason i.e. providing essential clinical services. The judge commented that a hospital cannot do its job without making available at least some limited data about its patients. Furthermore, the Court was satisfied that measures were taken by the Trust to protect patient data. For example, a mandatory Code of Conduct was in place that required all personal data processed by Bounty to be handled strictly in accordance with the DPA 1998.

The judge applied the decision in Warren v DSG Retail Limited (discussed in more detail in our article here) by holding that the Trust could not be liable unless it had carried out a positive act of “misuse”. It was determined that the allegations against the Trust could, at best, be described as “omissions” which did not amount to misuse.

The claims for breach of the DPA 1998 and misuse of private information against the Trust were dismissed. The Court noted that, even if there had been a breach of the DPA 1998 or misuse of private information, the claim would have failed as the information obtained about the Ms Underwood’s son was so trivial that no damage could reasonably have been suffered as a consequence of it having been obtained by Bounty. Of particular note here is the data protection claim being found in favour of the party defending the claim because the Code of Conduct (mentioned above) was deemed an “appropriate technical and organisational measure” to prevent the unauthorised processing of personal data.

What does this mean for your organisation?

• These recent cases build upon existing case law which demonstrates that, in order to present a claim for misuse of private information, a Claimant must be able to show that the data controller took positive steps to misuse the data.

• Simply inadvertently disclosing trivial information (such as name and date of birth in the context of a hospital ward) to a third party will not be enough to justify a claim or pass the “de minimis” threshold. This demonstrates that the facts and circumstances are important and organisations cannot adopt a “one size fits all” approach when it comes to data protection policies and procedures. The data sharing arrangements put in place by the Trust in Underwood helped its defence. It is therefore recommended that organisations review their own documents and contact our Commercial team for advice on how to protect themselves.

• The decisions are a message from the Courts that claims for damages for alleged breaches of data protection legislation and misuse of private information, particularly where trivial data is the only disclosed data, will not be entertained.

• Any claims are likely to be allocated to the Small Claims track (where there is no psychiatric injury arising out of any breach). Therefore, even where a claim is successful, the successful party will generally not be entitled to recover their legal costs, making it less desirable to issue such claims, particularly where legal costs are likely to exceed any damages award.

• As a consequence of these decisions, it is possible that this may further deter claims management companies from continuing to offer services for low level data breaches, especially in circumstances where there is limited prospect of success or recovery of legal costs.

If your business has suffered a data breach, or is facing claims of this nature, please contact our Dispute Resolution team for support.