Opportunistic Data Breach Claims Strike Out More Often
wo More Nails in the Coffin for Opportunistic Data Breach Claims
Tuesday, May 24, 2022
Following on from a string of cases in 2021 concerning minor data breaches (see our earlier article here), two further cases in Q1 of 2022 have continued the trend of High Court scepticism. Such compensation claims, usually involving multiple causes of action, often find themselves trimmed down and sent to the County Court, if not struck out entirely.
In our review below, we shed some light on the judiciary’s attitude towards opportunistic claimants.
Condemnation of the “kitchen sink” approach – William Stadler v Currys Group Limited [2022] EWHC 160 (QB)
Whilst claimants continue to pile up multiple causes of action in data breach compensation cases, presumably, in the hope of increasing their prospects of a successful recovery, this approach appears to have the opposite effect, as the claimant in this case discovered.
Mr. Stadler purchased a Smart TV from Currys in September 2016. Mr. Stadler logged into various apps, including Amazon Prime, but returned the TV to Currys in September 2020 for repair. Mr. Stadler was not asked to wipe the data from the TV before returning it and did not log out of any apps before leaving it with Currys. Repairing the TV was considered too costly, so Currys wrote it off and sold it to a third-party company without having wiped the data from it. Someone subsequently purchased a film from Stadler’s Amazon account.
Mr. Stalder telephoned Currys, who reimbursed him for the cost of the film and ensured that he had logged out of all apps and changed the password. Currys also gave Mr. Stadler a £200 shopping voucher as a gesture of goodwill. Nonetheless, Mr. Stadler went on to issue proceedings, alleging misuse of private information, breach of confidence, negligence, and breach of data protection laws (Article 82 of the UK GDPR and the Data Protection Act 2018). He claimed aggravated and exemplary damages up to £5000, as well as an injunction requiring compliance with the data protection law in question and a declaration that the data processing had breached Article 5(1) of the GDPR.
Currys applied for a strikeout on the basis that Mr. Stadler had no reasonable grounds for making a claim, pointing out that he had already been compensated and that it would be an abuse to allow him to proceed with costly litigation in such circumstances.
The judge found that Mr. Stadler had not pleaded his case adequately – the confidential information in question was not properly identified, nor was the obligation of confidence, and it was unclear what constituted the alleged misuse given that Currys had not taken any positive action to leak the data and in fact had no actual knowledge of the misuse of the data. A failure to wipe the device was insufficient for either a breach of confidence or misuse of private information claim. Mr. Stadler’s negligence claim failed because there was no actionable harm; Currys had already reimbursed Mr. Stadler financially and distress was insufficient for negligence without a resulting recognized psychiatric illness. In addition, there was no need to impose an additional duty of care when data protection legislation already imposed an adequate duty.
Tuesday, May 24, 2022
Following on from a string of cases in 2021 concerning minor data breaches (see our earlier article here), two further cases in Q1 of 2022 have continued the trend of High Court scepticism. Such compensation claims, usually involving multiple causes of action, often find themselves trimmed down and sent to the County Court, if not struck out entirely.
In our review below, we shed some light on the judiciary’s attitude towards opportunistic claimants.
Condemnation of the “kitchen sink” approach – William Stadler v Currys Group Limited [2022] EWHC 160 (QB)
Whilst claimants continue to pile up multiple causes of action in data breach compensation cases, presumably, in the hope of increasing their prospects of a successful recovery, this approach appears to have the opposite effect, as the claimant in this case discovered.
Mr. Stadler purchased a Smart TV from Currys in September 2016. Mr. Stadler logged into various apps, including Amazon Prime, but returned the TV to Currys in September 2020 for repair. Mr. Stadler was not asked to wipe the data from the TV before returning it and did not log out of any apps before leaving it with Currys. Repairing the TV was considered too costly, so Currys wrote it off and sold it to a third-party company without having wiped the data from it. Someone subsequently purchased a film from Stadler’s Amazon account.
Mr. Stalder telephoned Currys, who reimbursed him for the cost of the film and ensured that he had logged out of all apps and changed the password. Currys also gave Mr. Stadler a £200 shopping voucher as a gesture of goodwill. Nonetheless, Mr. Stadler went on to issue proceedings, alleging misuse of private information, breach of confidence, negligence, and breach of data protection laws (Article 82 of the UK GDPR and the Data Protection Act 2018). He claimed aggravated and exemplary damages up to £5000, as well as an injunction requiring compliance with the data protection law in question and a declaration that the data processing had breached Article 5(1) of the GDPR.
Currys applied for a strikeout on the basis that Mr. Stadler had no reasonable grounds for making a claim, pointing out that he had already been compensated and that it would be an abuse to allow him to proceed with costly litigation in such circumstances.
The judge found that Mr. Stadler had not pleaded his case adequately – the confidential information in question was not properly identified, nor was the obligation of confidence, and it was unclear what constituted the alleged misuse given that Currys had not taken any positive action to leak the data and in fact had no actual knowledge of the misuse of the data. A failure to wipe the device was insufficient for either a breach of confidence or misuse of private information claim. Mr. Stadler’s negligence claim failed because there was no actionable harm; Currys had already reimbursed Mr. Stadler financially and distress was insufficient for negligence without a resulting recognized psychiatric illness. In addition, there was no need to impose an additional duty of care when data protection legislation already imposed an adequate duty.
