Data Breach Claims: UK Court Seek Evidence Of Credible Harm Caused - A Welcome Trend In The Assessment Of Non-Material Damages

• Published date: 24 November 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: Ronan Daly Jermyn
• Author: Ms Jennifer Noctor

Since the introduction of GDPR and Article 82(1) GDPR which introduced the concept of non-material damages for an infringement of this Regulation, practitioners have struggled to interpret the provision and if any threshold was required to succeed with a 'data breach claim'. Recital 85 which provides additional information on the article references a number of possibilities (but doesn't differentiate between material and non material) such as loss of control, limitation of rights, discrimination, identity theft, damage to reputation and loss of confidentiality. The controversial issue remains over what level of evidence is required to demonstrate non material loss and whether an infringement per se is sufficient or if demonstrable loss or harm is required. The uncertainty in this area of law has led to a fluctuation of values for these claims and a lacuna between both ends of the spectrum.

There is limited Irish jurisprudence on these issues but two recent judgements in the UK will be of interest to data controllers faced with a damages claim for minor breaches of data protection legislation. These are the recent judgements of Rolfe and others v Veale Wasbrough Vizards [2021] EWHC (QB) and Lloyd v Google LLC [2021] UKSC 50.

The first case relates to an email that was sent by a law firm to the wrong recipient and a subsequent claim for compensation by the correct recipients. The email in question was a demand for payment of school fees. Due to one letter difference in the email address, it went to the wrong recipient.

A claim was made in the High court for damages under Article 82 of the GDPR and section 169 Data Protection Act 2013 citing misuse of confidential information, breach of confidence, and negligence.

The court accepted that in principle damages can be recovered for breaches of data protection regulations and misuse of private information and referred to the principle of loss of control constituting damage as discussed in the second case of Lloyd v Google below.

However, much of the judgement referred to the trivial nature of the breach and the fact that the distress suffered was not plausible. The court stated that the Claimants could not have suffered damage or distress above a de minimis level. The court must look at the reality of the personal information in question and the circumstances in which it was inadvertently sent to one third party.

The court looked at the nature of the personal data and noted that it did not involve health data...