Welcome Guidance From The Court On Defending Minor Data Breach Claims

• Published date: 22 December 2021
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Trowers & Hamlins
• Author: Mr Adam Berman

Since the introduction of the Data Protection Act 2018 (DPA) and the GDPR (now the UK GDPR following Brexit), there has been a significant increase in claims arising from minor personal data breaches.

These claims typically follow a similar pattern.

• A lengthy letter of claim will be sent alleging breaches of the DPA and UK GPDR, as well as breaches of confidence and privacy, and negligence.
• The letter will say that the claimant has suffered distress as a result of these breaches and that the claimant will commence proceedings in the High Court if liability is not admitted and damages paid.
• The letter will also indicate that the claimant has entered into a conditional fee arrangement (CFA) and taken out "after the event" insurance (ATE Policy) so that the claimant will not have to pay their own legal costs, or those of the defendant even if they lose the case. By pursuing a breach of confidence and privacy claim, the claimant can seek to recover the cost of the ATE Policy, whereas this is not possible for claims under the DPA and UK GDPR alone.

There is a rudimentary strategy behind these claims. The claimant has no financial risk because of the CFA and the ATE Policy, whilst the defendant has to incur legal costs from the outset in defending the claim. These costs can quickly become disproportionate to the value of the claim, meaning the defendant will often feel compelled to settle the claim at an early stage for commercial reasons.

Until recently, there has been a lack of case law to encourage organisations to fight these minor data breach claims. Helpfully, that has now changed as a result of the three cases that we discuss below.

In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the defendant was the victim of a cyber-attack which resulted in the personal data of its customers being compromised. The claimant duly issued a claim for breaches of the Data Protection Act 1998 (as was the applicable legislation at the time), misuse of private information, breach of confidence and negligence.

However, the Judge struck out the claims for breach of confidence and privacy because there had been no "positive misuse" by the defendant of the claimant's data. Rather, this was the action of a rogue third party. As a result, the claimant lost the ability to recover his ATE Policy, therefore creating a financial barrier and greater degree of risk for claimants who may be contemplating similar claims.

In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC...