The extent to which damages can be claimed in the event of a data breach has been a hot topic over the last few years, with a particular focus on what compensation is available for smaller breaches where an individual doesn’t suffer material loss.
Earlier this year, in the case of Farley v Paymaster the High Court applied a de minimis threshold to data breach damages claims, ruling that breaches must result in more-than-trivial harm in order for damages claims to proceed. A de minimis threshold is a legal principle used to describe issues that involve minimal or insignificant harm. In this context, a de minimis threshold would mean that claims resulting in trivial harm should be disregarded and would not be awarded compensation.
The general direction of travel in this area has seen it become increasingly difficult for claimants to bring claims in the UK where there is no real evidence of loss. The High Court decision in the Farley v Paymaster case was seen as a high watermark in this regard, until now, following a Court of Appeal judgment in the same case.
The Court of Appeal has reversed the High Court decision, holding that claims for compensation in relation to non-material damage suffered do not need to reach a de minimis threshold of seriousness, thereby significantly increasing the prospect of low value damages claims being pursued.
This article looks at the key cases for data breach claims to date and considers the impact of the latest decision in the Farley v Paymaster case. It also considers what is next for data breach claims and how to mitigate the risk of claims being pursued.
In the salient case of Lloyd v Google it was held that the mere loss of control of personal data was not a compensable harm, and that claimants must evidence that they have suffered material damage or non-material damage in order to claim compensation.
The court also established the key principle that non-material damage in data breach cases is subject to a threshold of seriousness. In other words, claims must exceed a minimum threshold of seriousness before claimants can claim compensation for a data breach. This principle has, until now, been consistently applied leading to a number defendant friendly decisions in low-value data breach cases.
In the Rolfe v WVW case, which concerned a minor data breach claim, summary judgement was granted to the defendant on the basis that the ‘trivial’ breach had not resulted in damage or distress over the de minimis threshold.
It was also held that low-level data breach claims are not suitable for the High Court. It had long been a tactic of data breach damages claims that claimant firms sought to have cases allocated to the fast track or above so that costs could be claimed, without which it would not be viable for claimant firms to take on such claims. The Rolfe v WVW case put an end to that, with the decision being applied in subsequent cases.
In the Stadler v Currys case, it was held that low-value data breach claims should be dealt with proportionately, resulting in the case being transferred from the High Court to the County Court following on from the decision in the Rolfe v WVW case.
However, the Stadler v Currys case also illustrated that the courts are averse to claimants unnecessarily over-complicating low-value data breach claims by adding in multiple, overlapping causes of action, such as misuse of private information, breach of confidence and negligence. This was again a common practice to distort the value or complexity of the claim to justify allocating it to the fast track or above so as to enable costs to be claimed.
In the Johnson v Eastlight case, the judge found that there was no basis for the multiple-limbed data breach claim to have been issued in the High Court, given its low value.
All of these decisions mean that it became increasingly difficult for data breach damages claims to succeed unless there was evidence of actual harm being suffered, with the first instance decision in Farley v Paymaster case continuing that trend. The question is, has the recent Court of Appeal decision bucked that trend?
In the Farley v Paymaster case, 474 current and former Sussex police officers brought claims against a pension administrator for breach of data protection legislation, when the administrator erroneously sent their annual pension statements to out-of-date addresses.
The pension statements contained personal data, including names, dates of birth, national insurance numbers, salary and pension details. The claimants alleged that the sending of the statements to out-of-date addresses where unknown third parties would receive them constituted unlawful processing of data, which caused them non-material harm.
At first instance, the High Court held that, for the vast majority of claimants, there was no viable claim for a data protection breach. The claimants needed to demonstrate that their personal data had been unlawfully processed and the court held that in order to do this they needed to establish a real prospect of demonstrating that their pension statement had been opened and read by a third party. The court held that it was not sufficient that the claimants could prove that the pension statements had been mis-addressed - i.e. that their information was merely at risk of being unlawfully processed - they had to prove that it had actually been unlawfully processed by being opened.
The majority of claimants could not prove that the personal data contained in their pension statements had been read by a third party, leading the judge to strike out or dismiss 460 of the claims.
Furthermore, the High Court applied a de minimis threshold to the claims, holding that breaches must result in more-than-trivial harm in order for related claims to proceed, and that claims resulting in trivial harm would not be awarded compensation.
The Court of Appeal has now overturned the High Court’s decision, marking a significant development in the landscape for data breach damages claims.
First, the Court of Appeal held that claimants were not required to demonstrate that their personal data had been accessed by a third party, meaning instead the fact that the correspondence was incorrectly addressed was sufficient for claimants to demonstrate that their personal data had been unlawfully processed in breach of the UK General Data Protection Regulations (GDPR) and pursue claims for compensation. That is not a surprising development – it was always difficult to reconcile that element of the first instance decision with data protection legislation.
Second, the Court of Appeal also rejected the High Court’s application of a minimum threshold of seriousness. It was instead held that where a claimant has suffered non-material damage - such as anxiety, distress, alarm or embarrassment - they are not required to reach a minimum level of seriousness in order to seek compensation under article 82 UK GDPR. This approach aligns with recent European GDPR caselaw, particularly the recent case of UI v Österreichische Post AG in which the Court of Justice of the European Union held that no threshold of seriousness applied to non-material damage.
The Farley v Paymaster case means that it may now be easier for claimants to seek compensation for non-material damage caused by data breaches in the UK. Non-material damage may also include the fear of the consequences of a data breach. However, and importantly, the fear must be objectively well-founded and not merely speculative. This last point is a handbrake on the floodgates being opened and means that there is still a clear scope to defend speculative claims for damages following data breaches.
An important consideration that the decisions gives rise to is what to say to data subject should a data breach occur. Where possible, organisations should notify affected data subjects in a way that provides sufficient details of the breach and the precise remedial steps taken, as well as explaining how and why any risk of harm has been mitigated. By providing such comfort, an organisation can mitigate any fear that can objectively arise and therefore minimise the risk of data subjects claiming that they have suffered well-founded fear of the consequences of a data breach.
For further information, please contact Ashfords’ privacy and data team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
