The De Minimis Principle In Practice. When Is A Data Breach Too Trivial To Found A Claim: Rolfe And Others V Veale Wasbrough Vizards LLP

• Published date: 10 November 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: 1 Chancery Lane
• Author: Mr Ian Clarke

What amount of damage is necessary before a claim for a data breach or of misuse of private information is actionable? In TLT and others v The Home Office [2016] 2217 (QB), Mitting J noted that the threshold was based on the "de minimis principle", but how is that principle to be applied in practice? In a short and helpful judgment, Master McCloud provided some guidance to the question in Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB).

The Defendant acted for a school in a fees dispute with the Claimants. On 17 July 2019 the Defendant sent an email to the child's parents that consisted of a letter requesting the payment of fees along with a statement of account. However, the sender of the email mistyped the relevant email address with the consequence that the email was sent to a third party. The recipient responded promptly saying that they thought that that the email had been sent in error. The Defendant quickly responded by asking that the message be deleted. The recipient confirmed that this had been done.

The Claimants thereafter sought damages for misuse of confidential information, breach of confidence, negligence and for damages under s82 of the GDPR and s.169 of the Data Protection Act 2013.

The Defendant sought summary judgment on the basis that any damage caused to the Claimants was too trivial to found a claim.

Master McCloud noted some common ground between the parties at ['5]:

"It was common ground that in principle damages can be recovered and other remedies obtained for breaches of data protection regulations and misuse of private information, including simply for the distress caused even absent specific pecuniary loss. See Vidal-Hall v Google [2016] QB 1003. Similarly, it is not in dispute that in principle loss of control of personal data can constitute damage: Lloyd v Google [2020] QB 747".

However, the Court went on to observe that there remained the need for there to be "damage", quoting from Sir Geoffrey Vos in Lloyd:

"I understood it to be common ground that the threshold of seriousness applied to section 13 as much as to MPI [misuse of private information]. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied."

At ['8] Master McCloud relied upon Ambrosaidou v Coward [2011] EWCA Civ 409, where Lord Neuberger observed:

"Just because information relates to a person's family and private life, it will not automatically be protected...