Data breach litigation: The High Court gives further guidance on distress-only damages claims

In Stadler v Currys, the High Court awarded summary judgment against a claimant who alleged distress following an inadvertent data breach. Here, Philip Tansley and Kathryn Williamson consider the court's reasoning and the implications of the decision.

Introduction

The High Court has last week handed down yet another useful judgment for defendants facing claims for breach of UK GDPR, misuse of private information, breach of confidence and negligence as a result of a data breach.

In Stadler v Currys Group Ltd [2022] EWHC 160 (QB) the High Court struck out all claims bar that for breach of UK GDPR and transferred the matter to the County Court where it suggested allocation should be to the small claims track.

Case overview

Background

The claim concerned a defective smart television which was returned to the defendant by the claimant for repair. A decision was made to write-off the unit and it was sold on for repair and resale without the defendant performing a factory reset or data wipe. The claimant’s Amazon account was later used by a third party to purchase a film. The claimant brought proceedings for breach of UK GDPR, misuse of private information (“MPI”), breach of confidence (“BoC”) and negligence claiming that the apps which were logged in on the Smart TV would have contained all of the claimant’s personal and financial details. The claimant claimed that as a result of the defendant’s actions, they had suffered psychological distress, anxiety, loss and damage, which had been exacerbated due to the sensitive personal and financial nature of the data accessed by the third party.

Decision

The court applied the recent Warren v DSG Retail decision finding that, for MPI and BoC claims to succeed, wrongful “use” had to be made of the information by the defendant in the form of a positive action (see our earlier article on Warren). In this case the defendant had failed to take positive actions to prevent the MPI and BoC. However neither imposed a positive data security duty on the holder of information. In the present case, the defendant was not making use of the data or information in passing the Smart TV to a third party and there had therefore been no use of the information by the defendant. Applying Warren the Court also struck out the negligence claim on the basis that there is no need to impose a duty of care on a data controller where there are already statutory duties (i.e. under the Data Protection Act 2018 and UK GDPR) and a state of anxiety falling short of a clinically recognisable psychiatric illness does not constitute sufficient damage to found an action in negligence.

The court considered the UK GDPR claim had sufficient prospects of success to avoid being struck out. However, it found that the Supreme Court’s judgment in Lloyd v Google that damages for 'non-trivial' breaches under DPA 1998 are not recoverable unless there is proof of damage or distress appeared to apply equally to claims under Article 82 UK-GDPR and noted another 2021 decision, Rolfe v Veale Wasbrough Vizards LLP, which confirmed that distress claims arising from fear of the unknown, feeling ill and losing sleep worrying about the possible consequences of a data breach were considered to fall below the de minimis threshold for recoverability (see our earlier article on Rolfe).

Comment

This is the latest in a string of cases which suggests that the higher courts have little time for opportunistic data breach claims. There are a few particular points to note:

  • After Warren some claimant firms were seeking to argue that failure to take adequate security measures was a sufficient positive act to found an MPI claim. This argument looks increasingly difficult in light of Stadler which suggests it is wrong to conflate the measures taken to protect private information with misuse of the information itself, so inadequate security measures will not be enough to found an MPI claim as they do not involve the ‘use’ of data.
  • Post Lloyd v Google claimants have been arguing that the decision that damages for “loss of control” are not recoverable per se does not apply to claims under the DPA 2018 (as opposed to the DPA 1998 which Lloyd considered) (see our earlier article on Lloyd). Whilst the court did not address this issue, its willingness to read across the Supreme Court’s findings about the recoverability of trivial losses to a claim under the DPA 2018 suggests this argument may be difficult.

    Whilst there is still no definitive guidance on the level of quantum that is recoverable in small data breach claims, the court commented that this was a “very low-value claim” worth “that might end up being worth just a few hundred pounds”.

For further information or advice on data breaches please contact Philip Tansley.

Disclaimer

This information is for educational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. © Shoosmiths LLP 2024.

Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.