Dentons Recent developments in data litigation blow for lowvalue data privacy claims
January 9, 2023
The landmark Supreme Court decision in Lloyd v. Google (see our full discussion here) spelled a win for data controllers as the decision made opt-out privacy class actions less likely to succeed and less likely to attract the necessary litigation funding. A year on from this decision, the Lloyd legacy lives on. We take a look at three key recent developments which, once again, spell a blow for claimant law firms as the courts issue critical judgments in respect of low-value data breach claims.
Cleary v. Marston (Holdings) Ltd [2021] EWHC 3809 (QB)
Background
The Claimant alleged that an employee of the defendant company had emailed a letter intended for him to one of his colleagues. The defendant admitted the mistake but maintained that the recipient had not read it and that the Claimant had suffered no real harm. There was no factual dispute, other than whether the third party had in fact read the letter. The Claimant contended that the letter had been read and sought damages and a declaration that the processing of the information had constituted a misuse of private information and/or breach of data protection. He issued the claim in the High Court, which had to determine whether a claim for misuse of private information and data protection should be transferred to the County Court.
As is often the case in such claims, the Claimant brought the following causes of action:
breach of data protection legislation;
misuse of private information (MPI); and
breach of confidence (BOC).
Decision
The Claimant had argued that the High Court was the appropriate forum because the claim was for misuse of private information, breach of confidence and breach of data protection, which fall within the scope of the specialist Media and Communications List. However, the High Court rejected this argument noting that a claim for misuse of private information and data protection should only be issued in the Media and Communications List if it is a High Court claim. The court emphasised that low-value, non-defamation, media and communications claims could be brought and fairly tried in the County Court where they were not particularly complex, as was the case here.
UI v. Österreichische Post AG – EU Advocate General's Opinion in Case C-300/12
Background
Österreichische Post AG (OPAG), a company which publishes address directories, began to collect information on the political party affinities of the Austrian population. Using an algorithm, OPAG could define "target group addresses" according to certain socio-demographic features. UI was a subject of the extrapolation exercise and was found to have a high affinity with one of the political parties. UI, who had not consented to the processing of his personal data, was upset by the storage of this data and by the affinity specifically attributed to him. UI claimed compensation of €1,000 in respect of non-material damage, claiming reputational damage, upset and loss of confidence. While we await the final decision of the CJEU, the Advocate General has published an opinion detailing a Lloyd v. Google style analysis of the circumstances in which damages can be obtained for contravention of the GDPR.
Decision
The Advocate General concluded that Article 82 did not require that compensation should be recoverable merely for a contravention of the GDPR. He took the view that, where EU law requires automatic compensation, it says so. If you recall, the decision in Lloyd specifically excluded the GDPR from its analysis, leaving open this question as to whether compensation for loss of control (in the sense of a mere contravention) could be recovered under the GDPR when it cannot under the DPA 1998.
The critical paragraph of the Opinion’s reasoning at [105] provides "while the case-law of the court permits the argument that, in the terms stated, a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation." In particular, Article 82(1) "does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset [112]."
Driver v. Crown Prosecution Service [2022] EWHC 2500 (KB)
Background
Mr Driver, a figure in local politics in Lancashire, was a suspect in a police investigation into local government corruption in 2014. He was told in 2016 that he was no longer a suspect (and he made press statements about that fact). However, he was subsequently investigated again under the same police operation, for different allegations. His file was passed to the CPS to consider possible charges.
In 2019, in response to an enquiry from a member of the public, a CPS official sent an email that said "a charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration". The recipient later communicated the contents of that email, together with commentary of his own (in which he named Mr Driver) to further individuals. There was no evidence that anyone took notice of that email. Mr Driver alleged that the CPS email caused him distress among other things.
Decision
The Court concluded that the breach was "at the lowest end of the spectrum" and awarded the Claimant damages of £250. This judgment therefore interestingly provides a quantification of the "lowest end of spectrum" data breach (which did not involve information with any privacy connotations).
The landmark Supreme Court decision in Lloyd v. Google (see our full discussion here) spelled a win for data controllers as the decision made opt-out privacy class actions less likely to succeed and less likely to attract the necessary litigation funding. A year on from this decision, the Lloyd legacy lives on. We take a look at three key recent developments which, once again, spell a blow for claimant law firms as the courts issue critical judgments in respect of low-value data breach claims.
Cleary v. Marston (Holdings) Ltd [2021] EWHC 3809 (QB)
Background
The Claimant alleged that an employee of the defendant company had emailed a letter intended for him to one of his colleagues. The defendant admitted the mistake but maintained that the recipient had not read it and that the Claimant had suffered no real harm. There was no factual dispute, other than whether the third party had in fact read the letter. The Claimant contended that the letter had been read and sought damages and a declaration that the processing of the information had constituted a misuse of private information and/or breach of data protection. He issued the claim in the High Court, which had to determine whether a claim for misuse of private information and data protection should be transferred to the County Court.
As is often the case in such claims, the Claimant brought the following causes of action:
breach of data protection legislation;
misuse of private information (MPI); and
breach of confidence (BOC).
Decision
The Claimant had argued that the High Court was the appropriate forum because the claim was for misuse of private information, breach of confidence and breach of data protection, which fall within the scope of the specialist Media and Communications List. However, the High Court rejected this argument noting that a claim for misuse of private information and data protection should only be issued in the Media and Communications List if it is a High Court claim. The court emphasised that low-value, non-defamation, media and communications claims could be brought and fairly tried in the County Court where they were not particularly complex, as was the case here.
UI v. Österreichische Post AG – EU Advocate General's Opinion in Case C-300/12
Background
Österreichische Post AG (OPAG), a company which publishes address directories, began to collect information on the political party affinities of the Austrian population. Using an algorithm, OPAG could define "target group addresses" according to certain socio-demographic features. UI was a subject of the extrapolation exercise and was found to have a high affinity with one of the political parties. UI, who had not consented to the processing of his personal data, was upset by the storage of this data and by the affinity specifically attributed to him. UI claimed compensation of €1,000 in respect of non-material damage, claiming reputational damage, upset and loss of confidence. While we await the final decision of the CJEU, the Advocate General has published an opinion detailing a Lloyd v. Google style analysis of the circumstances in which damages can be obtained for contravention of the GDPR.
Decision
The Advocate General concluded that Article 82 did not require that compensation should be recoverable merely for a contravention of the GDPR. He took the view that, where EU law requires automatic compensation, it says so. If you recall, the decision in Lloyd specifically excluded the GDPR from its analysis, leaving open this question as to whether compensation for loss of control (in the sense of a mere contravention) could be recovered under the GDPR when it cannot under the DPA 1998.
The critical paragraph of the Opinion’s reasoning at [105] provides "while the case-law of the court permits the argument that, in the terms stated, a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation." In particular, Article 82(1) "does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset [112]."
Driver v. Crown Prosecution Service [2022] EWHC 2500 (KB)
Background
Mr Driver, a figure in local politics in Lancashire, was a suspect in a police investigation into local government corruption in 2014. He was told in 2016 that he was no longer a suspect (and he made press statements about that fact). However, he was subsequently investigated again under the same police operation, for different allegations. His file was passed to the CPS to consider possible charges.
In 2019, in response to an enquiry from a member of the public, a CPS official sent an email that said "a charging file has been referred from the Operation Sheridan investigation team to the CPS for consideration". The recipient later communicated the contents of that email, together with commentary of his own (in which he named Mr Driver) to further individuals. There was no evidence that anyone took notice of that email. Mr Driver alleged that the CPS email caused him distress among other things.
Decision
The Court concluded that the breach was "at the lowest end of the spectrum" and awarded the Claimant damages of £250. This judgment therefore interestingly provides a quantification of the "lowest end of spectrum" data breach (which did not involve information with any privacy connotations).
