April 12 2022
… What types of claim can be brought?
[Misuse of private information (“MPI”), breach of confidence (“BoC”), breach of the Data Protection Act 1998 and negligence]
In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) Saini J considered a claim of low value brought against Dixons Carphone (“DSG”) arising from a cyber attack, perpetrated in 2018, by which the attackers gained credit card and other personal data. The ICO had already issued a monetary penalty notice in the sum of £500,000. A private claim was brought by one victim in misuse of private information (“MPI”), breach of confidence (“BoC”), breach of the Data Protection Act 1998 and negligence.
In granting DSG’s application for strike out / summary judgment of the MPI, BoC and negligence claims, the judge held (at [22]) that: “neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of MPI on the present facts would be a ‘development of the law’. In my judgment, such a development is precluded by an array of authority.”
In respect of negligence, there is older authority to the effect that there is no duty of care in conduct covered by the data protection legislation (Smeaton v Equifax plc[2013] EWCA Civ 108)…
Claims for damages
… It is of course true that both Warren and Lloyd were decided under the 1998 Data Protection Act, and indeed in Lloyd the Court specifically disavowed any view as to the applicability of the GDPR or Data Protection Act 2018 (para.13)…
Procedural limitations on nuisance value claims
In the meantime, the courts have been doing their best to put nuisance claims firmly in their procedural place…
The High Court has now grappled with the issue head on in Stadler v. Currys Group Limited[2022] EWHC 160 (QB). When the claimant went to repair their TV, Currys advised against it on the grounds of disproportionate cost. Currys sold the TV on to a third party without wiping the claimant’s data. In 2020 a movie was purchased by the new owner using the claimant’s Amazon account through the smart TV.
A High Court claim was brought for up to £5,000 for MPI, BoC, negligence and breach of the UK GDPR and the 2018 DPA. The DPA claim alone remained after the judge struck out the other claims by application of the various principles explained above. The extent of the breach of statutory duty remained to be assessed, and the breach, although of low value, did not appear to fall foul of the de minimis principle.
As to allocation, the judge issued a reminder of the CPR PD7A 2.4 criteria which are required to be satisfied if the claim is to be dealt with in the High Court.
if by reason of:
(1) the financial value of the claim and the amount in dispute, and/or
(2) the complexity of the facts, legal issues, remedies or procedures involved, and/or
(3) the importance of the outcome of the claim to the public in general, the claimant believes that the claim ought to be dealt with by a High Court judge.
These factors should be regarded by practitioners as dictating the correct forum, with a healthily objective approach rather than an over-reliance on the belief of a claimant…