There has been much talk about the recent Supreme Court decision in Lloyd v Google (see Rupert’s excellent summary here). While great minds have been focusing on the learning from their Lordships, there have also been some recent data protection nuggets from lower down the chain that are worthy of some consideration.
Johnson v Eastlight [2021] EWHC 3069
Hot off the press is Johnson v Eastlight [2021] EWHC 3069. The case concerns a bog standard data breach involving an email error. The facts are straightforward – a customer of a social housing provider requested a rent statement and was inadvertently sent a compilation of rent statements containing the names, email addresses and rent payments of other customers. The recipient was asked to delete the email and promptly did so.
The Claimant was a person whose details appeared in pages 880 to 992 of the 6,941 page attachment. Her claim for distress was based on, in addition to a general concern, the fact that the information “would somehow become known” to her former partner. Her claim was for Misuse of Private Information, Breach of Confidence and negligence (the latter was later withdrawn) together with an HRA and DPA 2018 claim for damages. The Defendant applied to strike out the claim and/or for summary judgment.
Master Thornett observed that the information that was disclosed was “routine” and “not of an obviously sensitive nature in itself”. The distress claimed “seems more in the realms of the unknown or the hypothetical than in reality”. Interestingly, he noted that the fact the Claimant had issued a claim in a publicly identifiable claim form without any attempt to withhold her personal address was evidence that any distress caused by such a revelation had diminished (this finding may inadvertently encourage applications for anonymity / sealing of the court file in simple data protection claims!). The claim for an injunction was hopeless and “merely an attempt to add credibility to the claim and to convey a greater impression of its importance”.
Most significant for practitioners are the observations in respect of allocation. Master Thornett saw no basis for the claim to have been issued in the High Court. CPR PD7A Para 2.1 is explicit that “Proceedings (whether for damages or for a specified sum) may not be started in the High Court unless the value of the claim is more than £100,000“. Was there a feature that elevated it to High Court status? No.
- By CPR 53.1(2), a “media and communications claim” is a claim that satisfies the requirements of paragraph (3) (or (4), which is not relevant here). Sub-paragraph 3 does include claims for misuse of private information or in data protection law. However, and significantly, the opening of paragraph 3 is clear this is only if the cited causes of action constitute “A High Court claim“. As distinct from claims in defamation, jurisdiction of which is excluded from the County Court by section 15 of the County Courts Act 1984, “the Claimant’s causes of action therefore did not have to be brought in the High Court and so was not a High Court Claim”.
- The Claimant had filed a precedent H indicating proposed costs in excess of £50,000. Master Thornett commented:
“No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse.”
Reluctantly, the Master agreed to transfer the case to the County Court rather than strike it out in its entirety. He continued:
“By a very narrow margin, however, I am satisfied that the real point in this case is whether the Claimant’s entitlement is to purely nominal or instead extremely low damages. It is never going to be much more, a point that surely was [or ought to have been] obvious to the Claimant and her advisors from the outset. Nonetheless, mindful that the court should strive to provide a remedy to any litigant if it can [“to fashion any procedure by which that claim can be adjudicated in a proportionate way”], the claim ought not to be entirely struck out but instead redirected to the more appropriate forum, the County Court. As distinct from defamation, where the game may not be worth the candle because there is only one permitted venue for the match, this very modest claim can and should proceed but be concluded elsewhere.”
Reference to the game not being “worth the candle” was a reference to the argument that was put forward by the Defendant that the Jameel or de minimis principle should apply. Whilst the Master agreed that these could apply to claims under the GDPR, this was not such a case, and was instead simply a “modest claim” that had been brought in the wrong venue.
Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809 (QB)
Contrast another recent decision of a Master, Rolfe v Veale Wasbrough Vizards [2021] EWHC 2809 (QB), where Master McCloud found that a claim of a similarly minimal nature should be struck out.
In Rolfe a letter requesting the payment of school fees was sent to the child’s parents but, due to one letter difference in the email address of the mother, the letter went to a person with an identical surname and the same first initial. That person responded promptly indicating they thought that the email was not intended for them. The Defendant replied asking the (incorrect) recipient to delete the message. The recipient confirmed she had done so. The Claimants brought a claim for damages in the High Court.
Master McCloud granted summary judgment and strongly cautioned against bringing such claims in the High Court:
“We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.
There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial…the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.”
Ashley v Amplifon Ltd [2021] EWHC 2921 (QB)
Contrast another recent decision in Ashley v Amplifon Ltd [2021] EWHC 2921 (QB) where Kerr J did not grant summary judgment in respect of a simple data breach case concerning the inadvertent disclosure to the wrong employee (with the same first name) of an employment contract. Kerr J held that there were factual matters to be resolved (albeit in the County Court, not High Court) and:
“I would not deny the claimant access to the county court, probably the small claims track, to litigate the claim particularly in circumstances where the defendant appears not to have revealed the whole of its hand and has, at the same time, sought to rid itself of the action in a manner that prevents its disclosure obligations from arising.
Access to justice includes the right to litigate modest claims for amounts that may seem trivial to lawyers but are not to the party seeking not just the money but to vindicate their rights. Whether the claim is worth the candle must be seen in that light.”
Julian Blake