A New Hurdle for Data Protection Litigation in the UK?

A recent ruling by the English High Court has raised the bar for individuals seeking to sue organisations for damages following data security incidents.

The Court ruled that an individual claimant (the “Claimant”) who sought £5,000 of damages from DSG Retail Limited (“DSG”) (a retailer that sells technology equipment in the UK under the “Currys PC World” brand) following a data security incident was not able to pursue claims for breach of confidence, misuse of private information or negligence against DSG. The Court held that the claims had no real prospect of success, and that neither breach of confidence nor misuse of private information imposes a data security duty on the holders of information (even if it is private and confidential).

This judgment could also have a significant impact on the recoverability of costs in, and resulting viability of, small claims by individual claimants for damages following data security incidents, as:

• English courts only permit “after-the-event” (“ATE”) insurance premiums to be recovered from the losing party in specific circumstances (including breach of confidence and misuse of private information cases); and
• low-value claims arising from a data security incident, not including claims for breach of confidence, are likely to be allocated to the “small-claims” track, where only limited costs are recoverable.

What led to the claim?

Between 2017-2018, DSG suffered a cyber attack that affected over 5,000 point of sale systems and 14 million customers. The Information Commissioner’s Office (the “ICO”) subsequently fined DSG £500,000 for failing to take appropriate technical and organisational measures to protect personal data under the Data Protection Act 1998 (“DP Act 1998”) (because the incident occurred before the implementation of the GDPR).

What did the Claimant argue?

The Claimant, Darren Lee Warren, an individual who had purchased goods from DSG, issued a claim against DSG for damages of £5,000 for distress allegedly suffered as a result of his personal data being compromised and lost. The Claimant brought four different causes of action, namely:

• breach of confidence; 
• misuse of private information;
• negligence; and
• breach of the DP Act 1998.

The claim under the DP Act 1998 remains on hold pending the appeal of DSG’s fine from the ICO. DSG applied to strike out the three other causes of action on the basis that they had no realistic prospect of success.

The Claimant argued that DSG, by failing to prevent the data security incident, had misused his private information by exposing it to a real risk of intrusion that was equivalent to publication to a third-party hacker. For the Claimant’s claim of negligence, he argued that a reasonable duty of care exists that is separate from any duties of care held by DSG under the DP Act 1998.

What did the Judge decide?

Mr Justice Saini allowed DSG’s application and struck out all causes of action (save for the paused claim under the DP Act 1998).

Breach of confidence and misuse of private information

With respect to the claims for breach of confidence and misuse of private information (the former of which was abandoned by the Claimant pre-judgment), Saini J found that:

• The “wrong” that had occurred was a failure to prevent the attacker from accessing the Claimant’s personal data, rather than any positive action on the part of DSG. 
• By contrast, both breach of confidence and misuse of private information are claims based on positive acts by the defendant. A claim for breach of confidence arises from an obligation not to disclose confidential information. Similarly, a claim for “misuse” of personal information must require some “use”. Here, it was not DSG that disclosed the Claimant's personal data, or misused it, but the criminal third-party hackers.  
• On this basis, Saini J concluded that neither breach of confidence nor misuse of private information imposes a data security duty on the holders of information (even if it is private and confidential). As a result, it would appear that claims may no longer be brought under these causes of action where a failure to have appropriate data security measures in place has led to the loss of personal information.
• Saini J also concluded that DSG could not be directly liable for the actions of a third-party attacker (following the Supreme Court decision in Various Claimants v. WM Morrison Supermarkets, discussed in our earlier client alert).

Negligence

With respect to the negligence claim, Saini J relied on established authority to the effect that there is no need to impose a separate duty of care where statutory duties (such as those under the DP Act 1998) exist. He also confirmed that a claim in negligence requires proof of some damage, harm or injury and that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness” is not sufficient (contrary to the position under the DP Act 1998 and the EU General Data Protection Regulation (“GDPR”), where damages for distress and, potentially, loss of control of personal data may be sufficient).

What are the cost implications of the judgment?

ATE insurance premiums

As in this case, claims brought by individuals arising from data security incidents are generally for relatively small amounts of compensation. Individuals frequently obtain ATE insurance to protect against the risk of liability for the defendant’s costs if the claim fails. If the claim succeeds (and the defendant is liable to pay the claimant’s costs), ATE insurance premiums are generally not recoverable; however, there is an exception for claims for breach of confidence or misuse of private information. Notably, this exception does not include claims brought under the DP Act 1998 (or its successors, the Data Protection Act 2018 and the GDPR).

If claimants can no longer bring claims for damages following data security incidents under the heads of misuse of private information or breach of confidence, their ATE insurance premium will form part of their irrecoverable costs even if they succeed, which may preclude many low-value data protection claims from going ahead.

Moving claims to the County Court/“small-claims” track

Following his judgment, Saini J referred the case to the County Court (rather than letting it continue in the High Court). While claims for breach of confidence may only be brought in the High Court, this is not the case for data protection claims. Claims in the County Court with a financial value of less than £10,000 are usually allocated to the “small-claims” track, where only limited costs are recoverable. This will be another disincentive for claimant lawyers to take on small claims of this nature. On the other hand, claimants may bring claims knowing that the Country Court on the small-claims track is not able to make an order against them to pay the defendant’s costs except under very limited circumstances.

How will this impact privacy litigation in the UK?

While we still await the much-anticipated decision of the Supreme Court in Lloyd v Google later this year that will impact the market for class action litigation in the UK for data protection claims, this decision has the potential to significantly impact numerous smaller claims brought by individuals in the wake of data security incidents. Claimants will find it more difficult to include claims for breach of confidence, misuse of private information and negligence and in these cases. This has knock-on effects for the funding and the recovery of costs for such claims, as set out above.

Companies faced with a prospective claim from an individual following a data security incident may wish to consider relying on this judgment as a means of settling such claims, with the knowledge that claimants will now find it more difficult to recover their costs in the event the dispute does lead to litigation.

Read the full judgment of Saini J in Warren v DSG Retail Limited [2021] EWHC 2168 (QB).

Dan Alam, a trainee solicitor in our London office, contributed to the drafting of this alert.