Banner triangles

Data breach litigation: welcome guidance on the threshold for distress-only damages claims

In Rolfe v Veale, the High Court awarded summary judgment against claimants who alleged distress following an inadvertent data breach. Here, Philip Tansley and Matthew MacLachlan consider the court's reasoning and the broader implications for such claims.

Introduction

In a recent High Court decision, Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) (“Rolfe”), summary judgment was awarded against claimants who alleged they had suffered distress as the result of an inadvertent data breach.

The case considers a situation which will be familiar to many organisations defending data claims where distress-only damages claims are brought under Article 82 UK GDPR alleging worry and upset but without accompanying evidence of financial loss or medical evidence.

The case provides important guidance on when such claims will fail because they fall below the de minimis threshold for claiming compensation. It also suggests that the courts are taking an increasingly tough line on speculative Article 82 claims which have become increasingly common over the last 12 months (see our earlier article on Warren v DSG).

Case overview

Background

Rolfe concerned a law firm which, due to typographical error in an email address, sent the claimants’ personal data to an unintended recipient. The personal data comprised the claimants’ address and some financial data (including a statement of account showing the claimants to be in debt and at risk of legal action) but not bank details. The recipient immediately informed the sender that she was not the intended recipient and confirmed that she had deleted the email.

The claimants brought a claim seeking damages for distress under Article 82(1) GDPR (now the UK GDPR) and Section 169(1) Data Protection Act 2018 together with common law actions in breach of confidence, misuse of confidential information and negligence.

The claimants asserted they had suffered distress as a result of the breach, including because “they had lost sleep worrying” about the incident, that it “had made them feel ill” and they were suffering “fear of the unknown” regarding the consequences.

The defendant applied for summary judgment on the basis that the claimants could not have plausibly suffered damage or distress above a de minimis level.

Decision

Master McCloud awarded the defendant summary judgment, holding that:

  • there was a de minimis threshold implicit in the case law which claimants had to show had been exceeded before they could seek distress damages (see in particular: Lloyd v Google [2020] Q.B. 747 (“Lloyd”), per Sir Geoffrey Vos at paragraph 55 and Ambrosiadou v Coward [2011] EWCA Civ 409, per Lord Neuberger MR at paragraph 30);
  • it was “fanciful” to suppose that distress above the de minimis threshold had been suffered as a result of the breach given the data involved and the prompt steps taken to mitigate it;
  • no person of “ordinary fortitude” would reasonably suffer the distress claimed arising in these circumstances in the 21st century; and
  • it was “inappropriate” in the modern world for a party to claim for breaches of this sort (especially in the High Court).

The Master not only awarded summary judgment against the claimants but ordered they pay some £11,000 of costs to the defendant on an indemnity basis given the claim was “speculative” and the defendant’s conduct in making a Part 36 offer which it of course beat.

The Master also commented that it was inappropriate for such claims to be heard in the Senior Courts.

Discussion

Guidance on the de minimis threshold in data claims

Rolfe provides welcome clarity for defendant organisations facing arguably opportunistic claims in the wake of low-risk breaches.

It clarifies that distress-only claims will fail and claimants may face significant cost penalties where they cannot provide compelling evidence of distress. Whilst Rolfe is only a first instance decision (and whether the de minimis threshold has been exceeded will need to be considered on a case-by-case basis), it suggests that claims will be difficult where:

  • the breach poses a low risk of harm (for example, where there has been a technical breach which does not create a risk that data will be misused or where, as here, the recipient has confirmed that they have deleted the data in question);
  • it only affects ordinary personal data, and not special category data or data which could readily be used for fraud;
  • it is promptly remedied by the defendant organisation and/or it has taken prompt steps to mitigate the risks posed; and
  • the claimant has not provided credible evidence of genuine distress and the court does not consider that a person of “ordinary fortitude” would be distressed.

The beginnings of an “ordinary fortitude” test?

In holding that the distress suffered fell below the de minimis threshold, Master McCloud commented “no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century”, which leads to speculation as to whether this will become the test for distress cases going forward.

However, it remains to be seen whether Rolfe will be recognised as general authority for an “ordinary fortitude” test to be applied to Article 82 distress claims. Not only was this a summary judgment application, but the Master did not consider the claimants’ evidence regarding distress to be persuasive. Our view is that the Master’s approach was correct and such a test requiring:

  • compelling witness evidence that the claimant subjectively suffered actual distress; and
  • the court’s objective assessment of whether a person of “ordinary fortitude” would reasonably suffer the distress in those circumstances, would provide a fair balance between the interests of data controllers and data subjects in such cases.

If that approach is followed in subsequent decisions, it seems likely that the courts would also need to consider adjusting the objective element of the test to take into account foreseeable factors which might make claimants more vulnerable to distress, such as age, relevant pre-existing medical conditions and other special circumstances.

Impact of Lloyd v Google

There is of course a degree of tension between the Rolfe decision and the Court of Appeal’s judgment in Lloyd that damages are recoverable for loss of control of data per se. This was implicitly acknowledged by the Master in Rolfe as he extended the time for any appeal to 21 days after the Supreme Court’s much-anticipated appeal decision. (For further details on the Lloyd proceedings and the factors at play, see Matthew MacLachlan’s article.)

It will be interesting to see how the Supreme Court’s decision addresses the need for effective redress by data subjects against technology companies who fail to follow applicable law and regulation and the risk that ordinary businesses will be faced with a growing wave of speculative claims arising from comparatively minor, and often inadvertent, breaches of data protection and privacy laws.

Case management issues

The Master’s comments that it is inappropriate to bring such claims in the High Court (which closely follow similar comments in the Warren v DSG claim), may have a substantial chilling effect on future claims involving small groups of individuals as this approach will limit the extent to which claimant firms can recover costs, obtain pre-action disclosure or place pressure on defendants to settle by making early Part 36 offers.

To discuss this or any similar issues, please contact Philip Tansley or Matthew MacLachlan.

Disclaimer

This information is for educational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. © Shoosmiths LLP 2022.

Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.