On 7 September 2021, the High Court granted a defendant’s application for summary judgment in a claim for compensation brought by three data subjects resulting from a data breach suffered by the defendant, on the basis that the breach was ‘trivial’ (here).
The case related to a single email (with attachments) sent by the defendant, a firm of solicitors. The defendant, who represents a school to whom the claimants, a set of parents, owed outstanding school fees, had been instructed to write to the claimants with a demand for payment. The email consisted of a letter and a copy of the statement of account.
Due to one letter difference in one of the email addresses, the correspondence was sent to an unintended recipient. The unintended recipient responded promptly, indicating that they thought the email was not intended for them. The defendant then responded promptly, asking the unintended recipient to delete the email, which they agreed to do. The recipient was unknown to the claimants personally.
The email contained the claimants’ names, address and the amount of school fees owed, as well as reference to proposed legal action, but it did not contain any financial information in the form of bank or card details, or information about the income or financial position of the claimants.
The claim brought by the claimants was for, amongst other things, compensation for non-material damage (i.e., distress) under article 82 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and section 169 of the Data Protection Act 2018. This was based on (i) the claimants having suffered “lost sleep”, (ii) the breach having “made them feel ill” and (iii) extensive time having been spent by the claimants dealing with the issue.
In giving her judgment, the judge noted that:
“It was common ground that in principle damages can be recovered and other remedies obtained for breaches of data protection regulations and misuse of private information, including simply for the distress caused even absent specific pecuniary loss […] Similarly, it is not in dispute that in principle loss of control of personal data can constitute damage […]. However there does need to be damage, one cannot succeed in a claim where any possible loss or distress is not made out or is trivial.”
Thus, it was not sufficient for the claimants to establish only that there had been a data breach. Rather, the claimants must also establish a material or non-material loss (i.e., damage or distress) suffered as the result of the data breach, which must be more than merely trivial. In the present case, the judge deemed the damage and/or distress suffered by the claimants to be ‘exaggerated’ and ‘implausible’ and that the de minimis threshold established by case law had not been met.
The judge granted the defendant’s summary judgment in their favour and dismissed the claim, ordering the claimants to pay the defendant’s costs (to be assessed) on an indemnity basis.
Following the introduction of the GDPR in 2018, there have been a growing number of compensation claims levied against organisations. This is due, in no small part, to the widening of the grounds on which data subjects can bring claims.
With increasing numbers of data breach claims being pursued as a result of the rise in data breaches, the decision in the present case, though only from a court of first instance, is helpful. Not only does it signal a pragmatic ‘real world’ approach to these types of low-level data breach claims, which is welcome, it also offers insight into the application of the de minimis principle in relation to distress or damage in the same context.