Are Damages Claims for Data Breaches Viable?

Claiming damages for data breaches has become one of the latest litigation bandwagons.  But recent cases show that it is not as easy to claim compensation for data breaches as some claimant solicitors and litigation funders may like to assert.

In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 the High Court summarily dismissed a claim against a firm of solicitors over an email sent to the wrong recipient (with a one letter difference in the email address) on the basis that no harm had credibly been shown.  The email was a claim for school fees that the Claimants had failed to pay to the solicitors’ client school and the email only contained the Claimants' names and address, the invoice and their statement of account for the past five years.  The level of school fees was publicly available on the school’s website.  The recipient of the email promptly alerted the solicitors of the error, the solicitors promptly requested they delete the email and the recipient confirmed she had done so.  Master McCloud in the High Court commented:

"What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied."

He therefore dismissed the case, as "the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown".  For good measure he ordered the Claimants to pay the Defendants' legal costs on the indemnity basis, with an interim payment on account of £12,000.

In Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 a data breach claim was made in the High Court for damages of £3,000, where the Claimants' solicitors claimed to have already incurred £15,000 in costs and estimated the total costs to be just in excess of £50,000!  The data breach occurred when a provider of low-cost social housing emailed the Claimant’s rent statement to a third party, who notified the Defendant immediately and deleted it as requested within 3 hours.  Slightly more plausibly than in Mr Rolfe's case, the Claimant had moved home to escape an abusive partner and claimed to be anxious about her new address becoming known to her former partner.  But, as Master Thornett noted in his judgment, bringing a public court claim over the matter with no attempt to withhold her address seemed contrary to this claimed subjective response to the Defendant’s disclosure.  He concluded that "By a very narrow margin… I am satisfied that the real point in this case is whether the Claimant's entitlement is to purely nominal or instead extremely low damages.  It is never going to be much more, a point that surely was (or ought to have been) obvious to the Claimant and her advisors from the outset."  The Master therefore transferred the case to the Small Claims Track in the County Court, where only very small fixed costs are recoverable (if the claim is successful).

Both these cases were decided by Masters in the High Court, so they have little precedent value but are indicative of the way the Courts are dealing with this sort of claim over minimal data breaches.

However in Richard Lloyd v Google LLC [2021] UKSC 50 the Supreme Court gave judgment in a case claiming damages for a data breach.  This had been brought under the Data Protection Act 1998 (DPA 1998), the predecessor to the GDPR, but the wording of the current Article 82(1) of the UK GDPR is similar to section 13 of the DPA 1998, so the principles should be the same.

Mr Lloyd was attempting (with the backing of a litigation funder) to bring an “opt out” representative class action on behalf of English & Welsh iPhone users against Google for misuse of private information and breach of the DPA Act 1998 regarding the infamous “Safari Workaround”.  Much of the judgement is about the technicalities of bringing such class actions under English law, which you can’t do (except under the Competition Act).  Mr Lloyd therefore made a clever attempt to use the old Chancery procedure for representative actions, which goes back to the 16^th and 17^th centuries.  The Supreme Court agreed this was OK in principle, but the reason his class action ultimately failed was the need for each claimant represented to establish individual loss for the data breach.  Damages for distress were recoverable in principle for data breaches, but different iPhone users would have suffered different amounts of distress, making the case unsuitable for such a representative action.

Mr Lloyd attempted to get round this by claiming a uniform sum of £750 per person.  If multiplied by the number of people he claimed to represent, this would have made the claim worth about £3billion (which was why this case ended up in the Supreme Court).  He justified this on various bases, including that it was an irreducible minimum harm suffered by every member of the class due to "loss of control" of their data, or that it was “user damages” assessed as an agreed fee for allowing Google to process the personal data.  He won on the loss of control point in the Court of Appeal, but Lord Leggatt, giving the unanimous judgment of the Supreme Court, carefully considered all these arguments and rejected them.  A claim for damages under the DPA 1998 required proof of either material damage (in the sense of some identifiable physical or financial loss) or distress, which had to be distinct from, or caused by, the unlawful processing.

What can we learn from these cases?  A claim by a data subject against a data controller for a data breach involving their personal data is certainly possible, but some actual loss or genuine distress must be proved in order to recover damages.

In cases of minor breaches where the data is not particularly sensitive and the breach has been cured, such loss or distress will be difficult to prove, and even where there is an arguable case it will be a matter for the County Court, where recovery of legal costs will be limited.  The sort of speculative letters that have been written by some claimant solicitors to frighten defendants into settling should therefore be firmly rebutted.

The more serious data breaches (such as where large companies fail to protect consumers’ credit card details from hackers or abuse their data for commercial purposes) are another matter, but even then each claimant will need to establish the loss and distress they have personally suffered, which individually may not be great.  The Supreme Court indicated a bifurcated representative action would be possible, where the representative claimant establishes liability and then members of the class can claim to establish their individual damages.  But there would still be difficulties in arranging funding for such litigation and persuading individual data subjects to bring claims for what may be relatively small amounts with a greater risk of costs.

This may give the impression that there is no real sanction for data breaches.  But the Information Commissioner’s Office still has the power to impose substantial fines under the UK GDPR and reputational damage remains a real concern.