Are Damages Claims for Data Breaches Viable?

Claiming damages for data breaches has become one of the latest litigation bandwagons.  But recent cases show that it is not as easy to claim compensation for data breaches as some claimant solicitors and litigation funders may like to assert.

In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 the High Court summarily dismissed a claim against a firm of solicitors over an email sent to the wrong recipient (with a one letter difference in the email address) on the basis that no harm had credibly been shown.  The email was a claim for school fees that the Claimants had failed to pay to the solicitors’ client school and the email only contained the Claimants' names and address, the invoice and their statement of account for the past five years.  The level of school fees was publicly available on the school’s website.  The recipient of the email promptly alerted the solicitors of the error, the solicitors promptly requested they delete the email and the recipient confirmed she had done so.  Master McCloud in the High Court commented:

"What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied."

He therefore dismissed the case, as "the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown".  For good measure he ordered the Claimants to pay the Defendants' legal costs on the indemnity basis, with an interim payment on account of £12,000.

In Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 a data breach claim was made in the High Court for damages of £3,000, where the Claimants' solicitors claimed to have already incurred £15,000 in costs and estimated the total costs to be just in excess of £50,000!  The data breach occurred when a provider of low-cost social housing emailed the Claimant’s rent statement to a third party, who notified the Defendant immediately and deleted it as requested within 3 hours.  Slightly more plausibly than in Mr Rolfe's case, the Claimant had moved home to escape an abusive partner and claimed to be anxious about her new address becoming known to her former partner.  But, as Master Thornett noted in his judgment, bringing a public court claim over the matter with no attempt to withhold her address seemed contrary to this claimed subjective response to the Defendant’s disclosure.  He concluded that "By a very narrow margin… I am satisfied that the real point in this case is whether the Claimant's entitlement is to purely nominal or instead extremely low damages.  It is never going to be much more, a point that surely was (or ought to have been) obvious to the Claimant and her advisors from the outset."  The Master therefore transferred the case to the Small Claims Track in the County Court, where only very small fixed costs are recoverable (if the claim is successful).

Both these cases were decided by Masters in the High Court, so they have little precedent value but are indicative of the way the Courts are dealing with this sort of claim over minimal data breaches.

However in Richard Lloyd v Google LLC [2021] UKSC 50 the Supreme Court gave judgment in a case claiming damages for a data breach.  This had been brought under the Data Protection Act 1998 (DPA 1998), the predecessor to the GDPR, but the wording of the current Article 82(1) of the UK GDPR is similar to section 13 of the DPA 1998, so the principles should be the same.

Mr Lloyd was attempting (with the backing of a litigation funder) to bring an “opt out” representative class action on behalf of English & Welsh iPhone users against Google for misuse of private information and breach of the DPA Act 1998 regarding the infamous “Safari Workaround”.  Much of the judgement is about the technicalities of bringing such class actions under English law, which you can’t do (except under the Competition Act).  Mr Lloyd therefore made a clever attempt to use the old Chancery procedure for representative actions, which goes back to the 16^th and 17^th centuries.  The Supreme Court agreed this was OK in principle, but the reason his class action ultimately failed was the need for each claimant represented to establish individual loss for the data breach.  Damages for distress were recoverable in principle for data breaches, but different iPhone users would have suffered different amounts of distress, making the case unsuitable for such a representative action.

Mr Lloyd attempted to get round this by claiming a uniform sum of £750 per person.  If multiplied by the number of people he claimed to represent, this would have made the claim worth about £3billion (which was why this case ended up in the Supreme Court).  He justified this on various bases, including that it was an irreducible minimum harm suffered by every member of the class due to "loss of control" of their data, or that it was “user damages” assessed as an agreed fee for allowing Google to process the personal data.  He won on the loss of control point in the Court of Appeal, but Lord Leggatt, giving the unanimous judgment of the Supreme Court, carefully considered all these arguments and rejected them.  A claim for damages under the DPA 1998 required proof of either material damage (in the sense of some identifiable physical or financial loss) or distress, which had to be distinct from, or caused by, the unlawful processing.

What can we learn from these cases?  A claim by a data subject against a data controller for a data breach involving their personal data is certainly possible, but some actual loss or genuine distress must be proved in order to recover damages.

In cases of minor breaches where the data is not particularly sensitive and the breach has been cured, such loss or distress will be difficult to prove, and even where there is an arguable case it will be a matter for the County Court, where recovery of legal costs will be limited.  The sort of speculative letters that have been written by some claimant solicitors to frighten defendants into settling should therefore be firmly rebutted.

The more serious data breaches (such as where large companies fail to protect consumers’ credit card details from hackers or abuse their data for commercial purposes) are another matter, but even then each claimant will need to establish the loss and distress they have personally suffered, which individually may not be great.  The Supreme Court indicated a bifurcated representative action would be possible, where the representative claimant establishes liability and then members of the class can claim to establish their individual damages.  But there would still be difficulties in arranging funding for such litigation and persuading individual data subjects to bring claims for what may be relatively small amounts with a greater risk of costs.

This may give the impression that there is no real sanction for data breaches.  But the Information Commissioner’s Office still has the power to impose substantial fines under the UK GDPR and reputational damage remains a real concern.

Conflicting Decisions Upheld on Appeal

You might think that if two different employees challenged an employer’s policy on retirement age on grounds of age discrimination before different Employment Tribunals and the two Tribunals reached opposite conclusions as to whether it was discriminatory, the point of a joined appeal of the two cases to the Employment Appeal Tribunal ("EAT") would be to decide which Tribunal was right, so the employer and its staff would know where they stood in future.

However, you would be wrong.  Employment Tribunals have a wide discretion to decide cases on the facts, based on the evidence before them, and the EAT can only overturn their decisions if they have made an error of law or have reached a decision which is perverse on the facts.  If two different Tribunals have reached different conclusions regarding the same retirement scheme on the basis of differing evidence and both have applied the law correctly and come to reasonable (though different) conclusions, then the EAT cannot interfere.

That is what happened in the cases of Pitcher v University of Oxford and St John’s College, Oxford and Ewart v University of Oxford.  The University, and St John’s College, had adopted an Employer Justified Retirement Age ("EJRA") of 67, with a procedure for applying for extensions to the retirement date and subject to future review of the scheme.  The stated aims of the EJRA included (1) promoting inter-generational fairness; (2) facilitating succession planning (in the sense of knowing when vacancies could be expected to arise); and (3) promoting equality and diversity.  The Tribunals also found that these three aims helped achieve a further over-arching objective of safeguarding high academic standards.  These were all upheld as legitimate aims which could be used to justify what would otherwise be direct age discrimination, but the University also had to show that the EJRA was justified as being a proportionate method of achieving those legitimate aims.  This is where the evidence presented to the two Tribunals, and so the conclusions they reached, differed.

Professor Pitcher was an Associate Professor of English Literature.  His application for an extension when he reached 67 was refused by the University and St. John’s College, and he was compulsorily retired.  The Tribunal in his case considered the evidence of the factors considered in establishing the scheme and its first 3 years of operation, and found the EJRA was justified.

Professor Ewart was an Associate Professor in Atomic and Laser Physics. He succeeded in obtaining a two year extension to his retirement age, but his application for a second extension was refused.  Crucially, he submitted in evidence his own statistical analysis of the increase in vacancies as a result of the EJRA, which showed that it was only a trivial 2-4%.  The University had not carried out its own analysis and did not submit any evidence of its own as to the effect of the EJRA in increasing vacancies.  As the legitimate aims were to create vacancies for a younger, more diverse cohort of academics, the Tribunal in Prof. Ewart’s case found that the discriminatory effect was disproportionate to the extent to which the legitimate aims were achieved, and therefore found the EJRA was not justified.

Prof. Pitcher was therefore not discriminated against, but Prof. Ewart was - by the operation of exactly the same scheme.  The fact that Prof. Ewart obtained one extension was not material (and if anything you might think that made his case less discriminatory).

The EAT could find nothing wrong with the decision of either Tribunal - on the basis of the evidence on the crucial issue of justification before them, and therefore upheld both decisions, despite their conflicting results.

This shows the limitations of appeals.  But where does it leave the University, or indeed other employers trying to decide how to implement non-discriminatory retirement policies?

Well, it seems Prof. Ewart had the better evidence.  Being a science Professor clearly helped here.  So, unless the University can produce a better statistical analysis which does show it is achieving its aims, it will need to rethink its retirement policy.

For other employers, the aims of inter-generational fairness, succession planning and promoting equality and diversity have all been upheld as legitimate ones, and safeguarding high academic standards could be rephrased as safeguarding high standards of performance in other appropriate industries (e.g. in law firms).  But the tricky question remains of how do you implement them in a proportionate manner?  Monitoring the scheme you do adopt and carrying out some statistical analysis, and amending the scheme based on the results, appears to be one way of doing it.  I do wonder though how many such schemes will achieve results of significantly better than a 4% increase in vacancies becoming available for younger generations?

Mr Green hits the Jackpot

The case of Green v Petfre (Gibraltar) Ltd (t/a Betfred) hit the headlines recently, when Andrew Green succeeded, after a 3 year battle, in recovering his winnings of £1,722,500.24 from a game on Betfred’s online casino.

Mr Green played a game called ‘Frankie Dettori's Magic Seven Blackjack’, in which he could place side bets on ‘trophy cards’.  The game was licensed to Betfred by Playfair in Gibraltar and (unknown to the parties) a software error stopped the game resetting as intended, so that Mr Green ended up with many more trophy cards than he should have.  The chance of a player achieving the jackpot of 7777 times the side bet stake should have been 0.00018361%, but Mr Green had won the jackpot three times before he eventually stopped betting at 5:58 am.  When Mr Green attempted to cash in his virtual chips, Betfred investigated and eventually refused to pay out, citing various exclusions of liability in their online terms and conditions.

Mr Green eventually obtained summary judgement from Mrs Justice Foster in the High Court to strike out Betfred’s defence based on the terms and conditions as having no realistic prospect of success.  Apart from the interesting facts of the case, it also provides a useful illustration of the Courts’ approach to online terms and conditions in a consumer case.

The Betfred terms and conditions were accepted by Mr Green clicking an ‘Accept’ box when he first opened an account with Betfred several years previously.  There was no dispute about their acceptance – Mr Green was even suing on one of the terms and conditions to recover his winnings.  The problem was whether the particular exclusions on which Betfred relied were effective.

The full terms and conditions here consisted of the Terms and Conditions, which were 32 pages long (if printed), an End User Licence Agreement of 9 pages and Game Rules for the particular game of 6 pages.  The Terms and Conditions document in particular was poorly drafted, with what the judge described as a number of infelicities of presentation. It was iterative and repetitive, in places the numbering was absent or inconsistent and it contained typographical mistakes.  The frequent use of capitalisation of whole clauses served, in the judge’s view, to obscure rather than highlight key provisions.

The judge’s conclusions were that:

• As a matter of contractual interpretation the wording of none of the exclusions relied upon by Betfred was sufficient to exclude liability for the particular error that occurred.  Their meaning was unclear, but they appeared to be directed to hardware or communications errors, rather than a behind-the-scenes software error of this kind.  What happened was possible if the game were functioning correctly – just very, very unlikely.
• The manner in which the exclusion clauses were presented and Betfred’s failure adequately to draw them to Mr Green’s attention meant that they were not incorporated in the contract.  Although it is unlikely a punter would ever read these clauses, they needed to be drafted so as to bring them to his attention if he did.
• As this was a consumer contract under the Consumer Rights Act 2015, Betfred was not entitled to rely on the exclusions because they were not transparent or fair.

The exclusions therefore failed for three different reasons.  In addition, Betfred’s defence based on the doctrine of mistake also failed, because any mistake did not render the contract incapable of performance, just less advantageous to one party.

Cases like this always turn on their particular facts, but this case shows the dangers of poorly drafted terms and conditions, particularly when dealing with a consumer.  When drafting, you need to think carefully about exactly what liability your client wishes to exclude, draft clearly to cover it and signpost it to the reader.  If you must use CAPITALS, do it very sparingly or they could well be counter-productive.  When you have done all this, you may well have satisfied the transparency requirement of the Consumer Rights Act, but you will still have to persuade a Court that the exclusion is fair.  Maybe a clearly drafted exclusion of liability for obvious software errors would be fair, but an error like this which produced a possible but highly unlikely result seems trickier to argue it would be fair to exclude.  The punter will simply assume it his lucky day, rather than that it must be a software error.

What we don’t know is whether Playfair’s business to business exclusions of liability in their contract with Betfred proved effective.