The extent to which damages can be claimed in the event of a data breach has been a hot topic over the last few years, with a particular focus on what compensation is available for smaller breaches where an individual doesn’t suffer material loss.
Claimants must demonstrate that there has been a breach of one of the many and varied obligations set out in UK data protection law. Data breach cases are often based on the personal data of an individual having been compromised, usually in circumstances where the data has been accessed by, or provided to, an unauthorised third party. However, the real battleground has not been whether there has been a breach, but rather whether that breach has caused harm and what compensation (if any) should be paid.
The direction of travel in this area has seen it become increasingly difficult for claimants to bring claims where there is no real evidence of loss. The recent case of Farley v Paymaster provides further guidance on this topic and might be a further nail in the coffin for trivial data breach claims. It would be incorrect to say that it is a final nail in the coffin, but it reinforces the high threshold for successfully pursuing data breach damages claims.
This article looks at the key cases for data breach claims to date and considers the impact of the Farley v Paymaster case. It also considers whether English Courts are diverging from EU Courts on this issue and what is next for data breach claims.
In the salient case of Lloyd v Google it was clarified that the mere loss of control of personal data was not a compensable harm, and that claimants must evidence that they have suffered material damage or non-material damage in order to claim compensation.
The court also established the key principle that non-material damage in data breach cases is subject to a threshold of seriousness. In other words, claims must exceed a minimum threshold of seriousness before claimants can claim compensation for a data breach. Minimal harm resulting from trivial breaches should not be compensated. This principle has since been applied, leading to the dismissal of a number of low-value data breach cases.
In the Rolfe v WVW case, which concerned a minor data breach claim, summary judgement was granted to the defendant on the basis that the ‘trivial’ breach had not resulted in damage or distress over the de minimis threshold. It was also held that low-level data breach claims are not suitable for the High Court, a point which was again highlighted in the Stadler v Currys case.
In the Stadler v Currys case, it was made clear that low-value data breach claims should be dealt with proportionately, and thus the case was transferred from the High Court to the County Court following on from Rolfe.
However, Stadler also illustrated that the courts are averse to claimants unnecessarily over-complicating low-value data breach claims by adding in multiple, overlapping causes of action, such as misuse of private information, breach of confidence and negligence. This practice distorts the value of the claim, so that it can move from the small track to the fast/multi track where costs can soar and are more likely to be recoverable.
In the Johnson v Eastlight case, the judge found that there was no basis for the multiple-limbed data breach claim to have been issued in the High Court, given its low value.
All of these decisions mean that it is increasingly difficult for data breach damages claims to succeed unless there is evidence of actual harm being suffered. However, that hasn’t necessarily resulted in a downturn in claims or a reduction in the wide range of causes of action pleaded.
In the Farley v Paymaster case, 474 current and former Sussex police officers brought claims against a pension administrator for breach of data protection legislation, when the administrator erroneously sent their annual pension statements to out-of-date addresses.
The pension statements contained personal data, including names, dates of birth, national insurance numbers, salary and pension details. The claimants alleged that the sending of the statements to out-of-date addresses where unknown third parties would receive them constituted unlawful processing of data, which caused them non-material harm.
The court held that, for the vast majority of claimants, there was no viable claim for a data protection breach. The claimants needed to demonstrate that their personal data had been unlawfully processed and the court held that in order to do this they needed to establish a real prospect of demonstrating that their pension statement had been opened and read by a third party. It was not sufficient that the claimants could prove that the pension statements had been mis-addressed - i.e. that their information was merely at risk of being unlawfully processed - they had to prove that it had actually been unlawfully processed.
The majority of claimants could not prove that the personal data contained in their pension statements had been read by a third party, leading the judge to strike out or dismiss 460 of the claims. Only 14 claims will proceed to trial, where they may still be dismissed for failure to meet the threshold for seriousness.
As well as reinforcing the position that the courts have adopted to date on damages claims, the Farley v Paymaster case also illustrates that in data breach cases, the burden of proof is on the claimant to establish that their personal data was accessed by an unauthorised third party. This may be a very high hurdle to overcome.
As set out above, the clear trend developing from caselaw in the UK is that an infringement of data protection law does not automatically trigger a right to compensation. In order to establish a viable data breach claim, claimants must prove that the contravention of data protection law caused them harm.
However, the recent EU case of UI v Österreichische Post AG should also be borne in mind when considering whether there is a minimum threshold of seriousness for non-material damage in data breach cases. In this case, the Court of Justice of the European Union considered a low-value data breach claim for compensation and concluded that the EU General Data Protection Regulation (GDPR) does not contain a requirement to reach a certain threshold of seriousness. In addition to this, the court concluded that it would be contrary to the meaning of ‘damage’ under Article 82 of the EU GDPR, to imply such a threshold given that it expressly includes non-material damage.
There is a risk that this case may encourage claimants in EU countries to bring data breach claims even where they have suffered minimal harm. Of course, this EU case is not binding in the UK, so the current threshold of seriousness will remain relevant to English courts for the time being. However, it does raise the question of whether the English courts will once again consider whether a threshold of seriousness is appropriate.
It is clear that in order to establish a viable claim for data breach compensation in the UK, claimants must establish that there has been a breach of data protection legislation, with those alleging unlawful processing of their personal data having to provide evidence of such processing. Additionally, claimants must evidence that they have suffered material or non-material damage as a result of the contravention and, at least in the English courts, claimants alleging non-material damage must surmount a minimum threshold of seriousness.
Whilst there is a trend, this is still a developing area of data protection law that litigators, businesses and data subjects alike should monitor closely. A trial date is awaited for the 14 surviving claims from the Farley v Paymaster case where the court is expected to further consider the key issues of non-material damage and the threshold of seriousness.
Further, whilst a large number of cases were dismissed, the Farley v Paymaster case serves as a pertinent reminder that businesses must ensure compliance with data protection legislation and implement robust data security measures in order to minimise the risk of data breaches and subsequent litigation. It also highlights the importance of businesses ensuring that their databases are regularly maintained and managed in order to avoid inadvertent disclosure of personal data.
The Ministry of Defence was recently issued a fine by the Information Commissioners Office of £350,000, which was reduced from £700,000 given that the Ministry of Defence is a government body. This emphasises that in the event of a serious data breach businesses will not just face damages claims from affected individuals, but could also be hit with significant fines from the Information Commissioners Office.
For further information, please contact Ashfords’ privacy and data team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
