The first half of this year looked like it might see the start of a boom in data protection litigation, particularly in the high volume, low value multi-claimant cases arising out of reported data breaches. Reinforcing the "on the ground" experience of specialist data protection litigators, The Lawyer magazine's Litigation Tracker reported last month that there had been a sizeable uptick not just of commercial claims this year, but specifically of claims in specialist fields like intellectual property and data protection litigation. They reported a rise of in excess of 300% in issued claims in these areas.
The genesis for these claims has, in part, been the clarification and codification of the right to sue for both material and non-material damages where there has been an actionable breach of data protection law, which is now clearly set out within the Data Protection Act 2018. But Claimants had also been encouraged by cases like Gulati and others v Mirror Group Newspapers (a case relating to misuse of private information relating to the phone hacking scandal) and Lloyd v Google (dealing with claims for compensation for "loss of control" of personal data connected with a workaround that allegedly circumvented the Safari browser's private browsing settings) to think that claims could be pursued for a wide range of heads of loss, with little or no evidence of any actual harm. This has resulted in claims being issued on a "pick and mix" basis, layering separate claims for misuse of private information, breach of confidence, negligence and infringements of human rights legislation on top of fairly straightforward claims under the Act.
This was always an ambitious approach, and costly and time consuming for the defendants confronted by such multi-faceted attacks, but it was one which (pending the decision later this year of the Supreme Court in the appeal in Lloyd, at least) looked set to continue to gain ground.
As such, the decision of the High Court in Walker v DSG on Friday came as a welcome corrective. This related to a claim arising from the well-publicised data breach suffered by the Dixons Group several years ago which, in the case of this claimant at least, resulted in unauthorised access to individuals' names, contact details and dates of birth. In a clear and concise judgment, Mr Justice Saini granted Dixons' application to strike out claims for misuse of private information, breach of confidence and negligence, leaving only a limited claim for breach of statutory duty under the Data Protection Act 1998 (the predecessor to the Data Protection Act 2018 and the UK GDPR). That limited claim was itself transferred to the County Court and stayed pending the outcome of a challenge by Dixons to the ICO's fine (and associated findings of fact in connection with the original breach).
Data breaches can, and sometimes do, cause significant and serious harm to the data subjects who are caught up in them. Where that harm is the responsibility of the data controller, those individuals ought to have appropriate recourse via the Courts for the injury that they have suffered. We can only hope that with a clearer and more focused approach to such claims, those which are without merit will be abandoned at an earlier stage, and those which are genuine will have a better chance of being resolved promptly, which must surely be in the interests of all concerned.
As one of the leading firms in the UK dealing with data breach litigation, we will be keeping a very close eye on developments in this area, and are always happy to discuss the implications for businesses of the legislation and the latest case-law.
DSG applied to strike out / for summary judgment upon all the causes of action save for breach of the data security duty (DPP7)... DSG argued that the other causes of action should be struck out or summary dismissed because (i) breach of confidence (‘BoC’) and misuse of private information (‘MPI’) require positive wrongful conduct on the part of the Defendant, and do not encompass a data security duty; and (ii) there is no duty of care in negligence in respect of conduct covered by the data protection legislation... That application was granted by Mr Justice Saini... The decision provides welcome clarity on the causes of action that can properly be brought in ‘external attacker’ data breach cases. It is, moreover, of potential wider significance, given the inter-relationship of these causes of action and costs recovery.