As the world becomes ever more digital, the once arcane subject of data protection has come of age. Businesses are alive to the great opportunities and major risks posed by data. Consumers have woken up to the vast fortunes the tech giants are making through exploitation of customer data, and to their rights under the GDPR to control their own data.
At the same time, a wave of cybercrime and ransomware attacks continues to threaten businesses and governments around the world.
Growing consumer awareness coupled with a riskier online landscape has led to an explosion in data protection litigation. A phalanx of law firms, offering to act on a no win no fee basis, has emerged to facilitate claims against companies who are accused of misusing individuals’ personal data.
But with legal costs often outweighing the compensation being sought by a factor of ten or more, and claims being pursued for the most trivial of incidents, there was a sense that the litigation landscape was out of kilter with the realities of modern life and that proportionality had been lost.
A series of decisions in the English courts suggest this is changing and the heyday of the data breach claim may be behind us.
How did we get here?
In the years following the introduction of the Data Protection Act 1998 (DPA 1998), awards of damages for breaches of the Act were relatively rare and the compensation awarded was low. In the 2010s, this started to change and the trickle of claims became a flood.
In Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333, the claimant was awarded £750 following the wrongful disclosure of information to a credit reference agency. Although the impact of the breach was minor, the Court of Appeal decided that a modest damages award was justified to mark the “frustration” it had caused. £750 was subsequently adopted (without much justification) as an unofficial benchmark for damages for minor breaches which cause some, but not much, distress.
The principle that damages were available for distress alone under the DPA 1998 was put beyond doubt by the Court of Appeal’s landmark decision in Vidal-Hall v Google [2015] EWCA Civ 311.
The next milestone came in May 2015 with the case of Gulati and others v MGN Ltd [2015] EWHC 1482 (Ch), when the High Court awarded damages of between £85,000 and £260,000 to eight claimants who had been victims of phone hacking carried out by the Mirror Group. Although this was a misuse of private information claim, rather than a data protection claim, its impact on the data protection landscape was huge. Firstly, the size of the damages awarded represented a step change for privacy actions. Secondly, the Court recognised that damages were available for “loss of privacy or autonomy”; that is, claimants should be compensated not simply for distress or material damage suffered but also for the loss of their right to control the use of their private information. The principles in Gulati, so claimants went on to argue, should apply equally in data protection claims.
In 2016, a group of claimants were awarded damages of between £2,500 to £12,500 for the severe mental distress they suffered after the Home Office mistakenly published the personal data of applicants for asylum or leave to remain (TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB)). In some quarters, this decision was viewed as endorsing large damages awards for data breaches, even though the circumstances were in fact extreme and unusual, with the claimants left fearing for their safety following the breach.
Then came Lloyd v Google, a representative claim brought by Richard Lloyd on behalf of 4.4 million iPhone users. Mr Lloyd alleged that Google breached its duties as a data controller by collecting the personal information (such as age, location and browsing activity) of iPhone users running Apple’s Safari browser, without their consent.
The High Court refused permission to allow the claim to proceed but the Court of Appeal overturned this decision. In a controversial decision, it applied Gulati to data protection claims and held that individuals could recover damages for mere loss of control of their data, even if they had not suffered financial loss or distress.
In 2018, the GDPR and Data Protection Act 2018 came into force, increasing the obligations on data controllers and strengthening the rights of data subjects.
By 2019, the legal landscape provided fertile soil for data breach claims to proliferate:
- The GDPR and Data Protection Act 2018 provided a comprehensive legislative framework for data protection, which put weighty obligations on data controllers.
- There was a relative shortage of case law on the proper size of damages in data breach claims, distorted by a handful of disproportionately large awards, and little judicial commentary on what type of breaches merit compensation.
- Claimants could claim damages for “loss of control” of data without the need to prove tangible loss.
- The conflation of misuse of private information and breach of the Data Protection Act meant that multiple causes of action could be pleaded in relation to the same breach, ramping up complexity, cost and risk for defendants.
Turning the tide
With the conditions just right, data breach claims duly multiplied, even for the most minor of breaches. However, a series of recent decisions suggest that we may be turning a corner.
The Supreme Court throws out “loss of control” damages
In November 2021, the Supreme Court reversed the Court of Appeal’s decision in Lloyd v Google. The judgment has been widely reported (you can read Addleshaw Goddard’s article discussing it here ). In a nutshell, Mr Lloyd’s ability to bring a representative action would stand or fall on his argument that all the affected individuals whom he was representing had the “same interest” in the claim because they had all suffered the same baseline damage. He argued that, regardless of any distress individuals may have suffered (which could only be assessed on an individual basis) they had all suffered the same loss of control of their data and were all entitled to compensation for this, on a lowest common denominator basis.
The Supreme Court decisively rejected this argument. Sidestepping the policy arguments which had raged since the Court of Appeal’s decision, the Supreme Court analysed the wording of the DPA 1998 and ruled that it did not allow for compensation for “loss of control” of data. Claimants must show they have suffered some loss as a result of the breach, be that financial loss or distress.
The end of group actions?
Mr Lloyd’s claim was a representative action, a form of “opt-out” group action. As the Supreme Court explained, the strictures of this procedure make its use in mass data breach claims effectively impossible unless claimants take a two-stage approach and use a representative action to obtain a declaration of liability, with individual damages claims to follow. The Supreme Court itself raised doubts about the economic viability of such a course.
It remains open to claimants to pursue “opt-in” claims by way of a Group Litigation Order. This was the course chosen by the claimants in Various Claimants v Morrisons [2020] UKSC 12. That claim also failed because the Supreme Court found that Morrisons, the data controller, was not vicariously liable for the actions of a rogue employee who had set out to actively harm his employer. The fact that the claim was a group action was not the reason it failed, although it is interesting to note that of the c.126,000 individuals affected by the incident, only c.9,000 joined the group, which perhaps demonstrates the difficulty in generating sufficient interest among data subjects to make an opt-in collective claim viable.
Stemming the flow of claims
Lloyd v Google and Morrisons can be seen as part of a wider trend. A series of recent High Court decisions have raised the bar for damages recovery for data breaches, with the litigation tactics of the claimant firms coming under particular scrutiny.
Firstly, the High Court has confirmed that companies which suffer cyber-attacks are not liable for claims in misuse of private information or breach of confidence (Warren v DSG Retail Limited [2021] EWHC 2168 (QB)). The reasoning is simple: when data is exfiltrated from a company as a result of a criminal hack, there has been no misuse of the data by the company. The only potentially viable claim is under the UK GDPR. This reaffirms the principle that data controllers have no tortious duty to protect data, beyond the scope of the UK GDPR.
The decision is significant because it means claimants can no longer take advantage of the procedural quirk which allows for recovery of the premiums for after-the-event (ATE) insurance policies, which cover potential liability for an opponent’s legal costs. Premiums can be recovered from opponents in misuse of private information and breach of confidence claims, but not claims under data protection legislation. Obtaining ATE insurance at an early stage was a key tactic for claimant lawyers as it removed cost risk from their clients and increased the defendant’s exposure, making settlement more likely. When it comes to cyber-attack claims, this tactic is no longer available.
Secondly, the courts are showing growing impatience with low value data breach claims being brought in the High Court, with little to no attempt being made to prove distress.
In Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809 (QB), the Court struck out a claim for damages arising from a single email about late school fees which was accidentally sent to the wrong recipient. The Court gave the claim for alleged distress short shrift, in comments which may echo many data protection officers’ views on the spurious claims which pass their desks:
What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.
There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.
Where claims are not struck out, the High Court has indicated that they belong in the County Court, and should probably be dealt with in the small claims track. In Budge v Denbighshire County Council [2020] EWHC 3890 (QB) and Johnson v Eastlight Community Homes Limited [2021] EWHC 3069 (QB), claims concerning the accidental disclosure of data by email were transferred to the County Court. In both cases, the judges criticised the costs incurred by the claimants. In Johnson, the judge had harsh words for the claimant’s approach to the litigation and decision to sue in the High Court, which “constituted a form of procedural abuse”.
The future
Where does this raft of case law leave us? In little more than a year, the landscape looks quite different:
- Claimants must prove credible distress or financial loss or their claims will not get off the ground.
- Claimants cannot pile on causes of action in claims relating to cyber-attacks – the only proper claim is a claim under the UK GDPR and Data Protection Act 2018.
- Claimants will not be able to recover ATE insurance premiums in cyber-attack cases.
- Group actions by way of the representative claim procedure will almost certainly not be possible.
- High Court litigation will be the exception rather than the norm. Most low value data breach claims should be litigated in the small claims track of the County Court, meaning recovery of costs from the unsuccessful party will be rare.
None of this prevents a data subject who has suffered genuine distress or financial loss from obtaining redress. But officious group litigation and speculative claims following minor data breaches now seem much less attractive and, in many cases, will not be economical to pursue.
It is questionable whether it was ever really in data subjects’ interest to bring such claims or whether, as Mr Justice Warby commented in his decision in Lloyd v Google, the “main beneficiaries” of such litigation were the “funders and the lawyers”. Large scale, unlawful exploitation of personal data for commercial gain, of the type Google is alleged to have engaged in, is arguably better tackled through robust regulatory action rather than individual civil litigation.
Finally, legislative change may be on the horizon. Following Brexit, the GDPR has been retained in English law as the UK GDPR but the government has published a proposal for reform of the regime. While the proposals are not radical, they may lessen the burden on data controllers in certain areas.
All in all, 2021 was a good year for data controllers. It will be interesting to see if this trend continues in 2022.
Neil O’Sullivan is an associate in the commercial disputes team at Addleshaw Goddard and advises on reputation and information protection, data protection disputes and intellectual property disputes.