The recent Warren v DSG decision may significantly limit the recent wave of data breach litigation by claimant firms. The High Court summarily dismissed claims for breach of confidence, misuse of private information and negligence.
Last week, the High Court handed down judgment in Darren Lee Warren v DSG Retail Limited  EWHC 2168 (QB), a decision that may significantly limit the recent wave of data breach litigation by claimant firms.
The claims follow a now familiar trajectory. A business suffers a data breach involving the personal data of its customers. Consumer-focussed claimant firms then seek to sign up affected customers, issuing multiple claims for damages for breach of the UK GDPR, breach of confidence, misuse of private information and negligence backed by conditional fee agreements and After the Event (“ATE”) insurance.
Leveraging the perceived complexity of data claims, the lack of clear authority regarding quantum and the cost exposure created by ATE premiums in publication and privacy proceedings, claimant firms have created a business model fuelled by out-of-court settlements.
In Warren v DGS, the High Court summarily dismissed the claimant’s claims for breach of confidence, misuse of private information and negligence, leaving only the UK GDPR claim. Not only will this considerably simplify the defence of similar claims, it makes it increasingly unlikely that claimant firms will be able to recover ATE premiums in similar cases. This is because the recovery of ATE premiums was entirely dependent on the existence of a privacy claim, being one of the few classes of claim where ATE premiums are still recoverable.
Currys PC World (“DSG”) suffered an external attack resulting in the compromise of c. 10 million customer records. The ICO subsequently issued a monetary penalty notice of £500,000, the highest possible at the time (although DSG’s appeal against this penalty is pending).
The claimant, an individual customer, sought £5,000 for breach of the Data Protection Act 1998 (the “DPA”) (as the incident took place before the coming into force of the UK GDPR), breach of confidence, misuse of private information and negligence.
Whilst the parties agreed to stay proceedings relating to the breach of the DPA pending DSG’s appeal against the monetary penalty notice (due to be heard in November 2021), DSG applied for summary judgment on the remaining claims.
The High Court summarily dismissed the non-DPA claims on the basis that: a) all of the causes of action required some positive wrongful action to be taken (for example, deliberate disclosure of personal data, or wrongful use); and b) there was no positive wrongful action in circumstances where DSG was the passive victim of an attack and had not purposefully facilitated the data breach.
The court held that the actions for breach of confidence and misuse of private information do not impose any form of data security duty on DSG. For the negligence claim, there was also no such duty. Further, the court found that a state of anxiety which falls short of clinically recognised psychiatric harm is not sufficient damage to found a claim in negligence.
Whilst unsurprising, this is a welcome and timely decision for organisations responding to data breaches.
Although the decision does not mean the end of follow-on litigation following data breaches, it will have a number of important implications for data litigation. In particular, it will:
- considerably narrow the issues in dispute, rightly (in the authors’ view) focusing such disputes on the key question of whether the incident in question involved breaches of the UK GDPR; and
- undermine the business model of claimant firms which have been bringing multiple individual claims using ATE insurance to offset their cost risk and pressure defendant companies to pursue into settlements well above the level they would be likely to recover if the matters went to court.
However, there are still a number of important legal questions that need to be resolved before the legal liability position in this area becomes clearer:
- Collective actions: Whilst bringing multiple individual claims is one approach to dealing with data breach litigation, it may be that this decision simply shifts the focus to claimant firms towards bringing collective, rather than individual, actions. In particular, practitioners are eagerly awaiting the Supreme Court’s decision in Lloyd (Respondent) v Google LLC (Appellant) UKSC 2019/0213 which will clarify both whether ‘distress only’ damages are recoverable for breaches of the UK GDPR, and whether such claims can form the basis of same-interest collective claims. If the Supreme Court allows ‘opt out’ collective actions of this sort, it is likely to have a seismic effect on litigation in this area (see our commentary on Lloyd v Google here) but increased group litigation in this area is likely in any event.
- Quantum: There is also considerable uncertainty regarding the quantum available. Whilst rare cases involve serious harm, the majority of data breach claims involve individuals who have experienced real but comparatively minor distress and inconvenience as a result of an incident. Cases such as R. (on the application of M) v Chief Constable of Sussex  EWCA Civ 42 (£500 damages for a relatively serious breach involving details of a subject’s sex life) suggest that the damages recoverable by individuals affected by data breaches are likely to be quite modest. However, claimant firms routinely suggest to their clients that damages of £5,000 to £10,000 may be recoverable and judicial guidance is urgently needed in this area. Similarly, there is some suggestion (see TLT v Secretary for Home Department  EWHC 2217 (QB)) that there may be a de minimis threshold for harm in cases of this sort but where this threshold may lie remains unsettled.
To discuss this or any similar issues, please contact Philip Tansley or Matthew MacLachlan.