The litigation landscape for data protection

Increased awareness of data protection rights and obligations has resulted in a steady increase in data breach claims since the implementation of the General Data Protection Regulation (now known as UK GDPR). Claimants often assert that their personal data has been improperly handled or disclosed, both as a primary claim and an ancillary issue.

Cases cover a variety of situations, from misdirected mail to the erroneous internet publication of confidential and sensitive matters. Data protection issues raised in litigation are not limited to personal data breaches but have expanded to cover deficiencies in the fulfilment of Data Subject Access Requests, the denial of other data subject rights, and concerns over compliance with data minimisation, retention and accuracy requirements. 

Seeing what sticks

Most court activity is focussed on personal data breaches and their aftermath. A scattergun approach is often taken in claims. Heads of claim invoked tend to overlap, with multiple alternatives being pleaded in the hope that one or more will succeed.

The most usual claims seen are allegations of breach of privacy, misuse of private information, breach of the Data Protection Act 2018, breach of confidence, breach of Article 8 of the European Convention on Human Rights, and negligence. Each one requires specific criteria to be fulfilled for the claim to succeed, and in many cases on an objective assessment the facts do not fit the criteria well. 

Responding to these claims, whether in the form of pre-action correspondence or the filing of a Defence requires detailed knowledge of each type of claim, so as to avoid making unnecessary admissions and/or concessions and to optimise the possibility of having the claim struck out.

The current approach of the courts

Various claims relating to personal data, data breaches and data rights have now been considered by the courts. The resulting guidance as to what claims can be brought, in which courts, in what circumstances, and the level of damages likely to be achieved, has provided welcome clarity to litigants and their advisers.

The de minimis threshold

Contrary to popular belief, a personal data breach does not automatically give rise to a right to receive damages – a de minimis threshold exists. For example, in a case called Rolfe v Veale Wasborough Vizards LLP a school’s lawyers sent an email attaching a statement of account to the wrong email address. The error was identified and the email was deleted by the recipient. The judge struck out the claim, finding that the breach was “trivial” and saying that the suggestion that any distress or worry was caused by the incident was a “frankly inherently implausible suggestion”.

The small claims track

The courts have also made it clear that claims with values likely to be limited to a few hundred or even a few thousand pounds belong to the small claims track, with its simplified procedures and limited if any costs recovery. The prevailing practice of claimant firms seeking to bring High Court claims and arguing for allocation to more complex tracks with higher costs limits is beginning to change.

Multiple heads of claim

The pleading of multiple heads of claims has also been subject to expressions of disapproval by the courts. In cases such as Warren v DSG Ltd and Johnson v Eastlight Community Homes Ltd it has been made clear that the courts will filter out overlapping, opportunistic and insufficiently enumerated claims which are likely to obstruct the just disposal of the proceedings and take up disproportionate time and resources.

Levels of compensation

Even where compensation may be warranted, it is not unusual to receive a claim where arguments on causation and remoteness are notable by their absence. In the minority of cases where a claimant complies with applicable pre-action protocols and provides specifics as to the amount they are seeking to obtain by way of damages, the suggested figures tend to be highly optimistic when considered in context. Although it is difficult to predict what a court will award, reported cases indicate that data breaches involving minimal data and minimal distress may receive as little as £250, as in the case of Driver v CPS where the Crown Prosecution Service was unable to demonstrate that its communication with a member of the public, updating them on a file relating to Mr Driver, was necessary. 

In contrast, incidents resulting in objectively serious privacy intrusions causing significant psychiatric harm have garnered up to £20,000.

Top tips when defending a data claim

Steps to defend against potential data related claims begin at the point a breach is identified or another relevant issue with data processing arises. When first responding to a breach or other concern, we recommend:

  • Avoiding admissions, concessions and apologies: until all relevant facts have been identified, it is important to avoid suggesting or admitting fault. Statements made at the beginning of or prior to an investigation, which are later proven to be incorrect, can seriously hamper an organisation’s ability to defend against even the most spurious claims.

  • Seek to protect documents: communications and other documents created while investigating a data breach, or on receipt of an actual (or threatened) claim, may be disclosed to the other side.  To avoid disclosure of potentially damaging material, it is important to understand when legal professional privilege applies to documentation and correctly label materials to maximise the availability of such protection. In particular, breach investigations are unlikely to be protected unless legal advisers have been instructed in a timely manner.

When a letter of claim has been received, or a claim has been issued:

  • Focus appropriate resources on the issue: defending a claim requires a detailed understanding of relevant facts, which must be gathered and assessed within strict time limits. A failure to meet court deadlines can result in a Defence being rejected by the court, so time is of the essence.

  • Seek external assistance: responding to claims regarding the use of personal data requires detailed knowledge of the criteria applicable to each type of claim, the approach of the courts, and legal procedure.

  • Consider the costs of defending: claimants are often pursuing their grievances with the benefit of conditional fee agreements (CFAs) and after the event (ATE) insurance. In practice, this means there is little incentive for them to withdraw a claim and regardless of the prospects of the case, many claimants are often disinclined to settle. However, the cost of litigation can be high, and you may choose to prioritise settlement at a reasonable amount.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
Sites
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R

Visitors

Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Staff

Mills & Reeve system for employees.