The judgment handed down by the High Court in Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) (Rolfe) gives controllers some much needed guidance on compensation for low level data breaches. In summary, the High Court concluded that a single data breach involving a limited amount of personal data was unlikely to cause an individual to suffer distress or be sufficient to form the basis of a claim for damages for distress.
The Defendants, Veale Wasbrough Vizards LLP (VWV), accidentally sent an email intended for the First and Second Claimants to a third party. The email attached a request for payment of outstanding school fees and contained a limited amount of the Claimants' personal data, including their names and address.
The Claimants brought a claim for breaches of privacy and data protection law, including misuse of private information, breach of confidence, negligence, and breach of the GDPR and Data Protection Act 2018. Among other remedies, they sought damages for distress and loss of control of their personal data.
The Defendants admitted the error in sending the email to the unintended recipient but disputed that the incident caused the Claimants to suffer harm in excess of the de minimis threshold. The Defendants argued that the Claimants would not be able to demonstrate loss and therefore sought summary judgment of the claim. The Claimants argued that there was a reasonable prospect that they would be able to show that they had suffered loss in excess of the de minimis threshold and that this was a factual matter for trial.
It is possible to recover damages for distress and loss of control of personal data without showing financial loss. However, claimants must be able to show that they have actually suffered loss or damage, and that the amount of loss or damage is more than 'de minimis', meaning it must not be trivial.
The question before the High Court, applying the test for summary judgment, was: (i) given the nature of the breach, (ii) the nature of the information, (iii) the steps taken to mitigate the breach, and (iv) the material before the High Court, was it more than fanciful to suppose either that actual loss was suffered or that distress was suffered above the de minimis level.
The High Court held that there was no credible case that the Claimants would prove that the incident caused them to suffer distress or damage over the de minimis threshold. The incident was not capable of causing "a person of ordinary fortitude" in the modern world to suffer the losses claimed, which had been exaggerated. Summary judgment was awarded to Defendants and the Defendants were awarded their costs.
What can we take from the decision?
The decision provides welcome and reassuring guidance for data controllers and processors facing claims for damages and costs resulting from alleged data protection breaches. Claimants seeking damages for alleged data protection breaches will often rely on the principle that damages can be recovered for distress alone, and will claim to have suffered serious distress as a result of what can seem to be a minor alleged breach. This can lead to claimants claiming large sums in damages and attempting to recover their legal costs from prospective defendants. We have commented on the impact of the High Court's decision on typical points of dispute below.
Claims for breaches of data protection law may be started in either the High Court or the county court. Claimants, attracted by the prospect of recovering their legal costs, are often tempted to issue a claim in the High Court, arguing that the complexity of data protection litigation makes this a suitable choice. Rolfe is the latest in a series of recent case law that rejects this argument. It is clear that claims for trivial data protection breaches should not be brought in the High Court.
- The de minimis threshold
The principle that would-be claimants can claim damages for distress only without demonstrating financial loss is well established, but parties will typically argue as to whether the loss suffered is sufficiently serious to warrant compensation. The test is whether the loss suffered is 'trivial'. Here the Court confirmed the view from Richard Lloyd v Google LLC EWCA Civ 1599 that "an accidental one-off data breach that was quickly remedied" will not exceed this threshold. Would-be claimants should be discouraged from the view that a data incident will automatically give rise to a claim for compensation.
- Distress in the modern world
It is common for claimants looking to recover damages in respect of an alleged breach of data protection law to claim that the incident caused them to suffer distress. Rolfe confirms that when faced with a claim for distress, the courts will consider whether the incident was likely to cause an individual of reasonable fortitude living in the modern world to suffer distress.
Here, the High Court held that it was implausible that the sending of the email to the unintended recipient could have caused the Claimants significant distress or made the Claimants "feel ill", as was claimed. Master McCloud criticised the Claimants' claim as "plainly exaggerated" and this was taken into account when awarding costs to the Defendant on the indemnity basis.
- Relevance of the facts of the case
The relevant factors were that a minimal amount of non-sensitive data was involved; the unintended recipient of the email alerted the Defendants to the issue and deleted the email on request; and the incident was unlikely to lead to further transmission of the data or consequent misuse. The High Court's decision to award summary judgment to the Defendants shows that this case clearly fell under the de minimis threshold, but each claim will be considered on its facts.
- The decision in Lloyd v Google
The High Court recognised that the outcome of the appeal in Lloyd v Google (the Supreme Court's decision is pending) may have a bearing on the Claimants' wish to appeal the decision. The Supreme Court is expected to confirm whether claimants can claim damages for loss of control of personal data without having suffered distress. However, in giving judgment in Rolfe, Master McCloud quoted from the Defendants' submissions on loss of control, which were briefly that a claim for loss of control could not be made out on the basis that one third party had briefly had access to low-level personal information before deleting it.
Each claim will be decided on its own facts and it is unlikely that this decision alone will stem the tide of claimants coming forward to claim damages for data protection breaches. However, this is a welcome High Court decision which forms part of a rapidly developing body of case law (see also our recent analysis of Warren v DSG Retail Ltd and Lloyd v Google LLC), that is helping to delineate the bounds of data privacy compensation claims. At Womble Bond Dickinson our international team of data privacy lawyers have significant experience of strategically defending and pursuing data privacy claims, as well as advising clients on the UK's data protection regime and transatlantic privacy issues.