Crucial and difficult questions continue to bedevil the litigation of data breach claims: how much (if anything) are claims worth, and how do you take forward large volumes of low-value claims arising from the same incident in ways that are cost-effective and proportionate? The recent judgment of Nicklin J in Farley and 473 others v Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is a further notable development on these fronts.
The judgment is also something of a textbook, distilling the key principles on the misuse of private information (MPI) and data protection causes of action, the attendant compensation principles, pleading and amendment issues, anonymity, threshold of seriousness, strike-out and summary judgment in this context. It’s a useful go-to source for reminding us of the key points on those issues.
But let’s leave aside the textbook and cut to the chase.
The claims: envelopes sent to wrong addresses. 450+ current and former Sussex police officers claimed for MPI and GDPR breaches due to envelopes containing their pension benefit statements being sent to outdated addresses by the defendant, Equiniti. Only 14 pleaded a case that their envelopes were in fact likely to have been opened; the rest relied only on an inference that this was likely, and claimed for exposure to the risk of third parties having access to their envelopes.
The litigation approach: not a GLO, but a single claim form for 474 individual claimants, with a proposal to select and try lead claims.
The affected data: the pension statements implicitly revealed that the individual was a police officer, and generally included the individual’s: name, date of birth, national insurance number, and details of salary and pension details.
Heads of damage: the claimants sought to recover for annoyance, distress and anxiety – though their descriptions varied (see [62]: some claimants said distress was too strong a word for the impact on them; some described the impact as mild, minor or temporary. Some complained of spam emails, but their email addresses hadn’t been compromised. There was no evidence of actual identity theft having materialised, but “substantially, the claim for each Claimant is very much put on the distress/anxiety caused by the apprehension that s/he might be a victim of identity theft” ([42]).
Any personal injury elements? Yes. A subset of claimants also issued a second claim for personal injury. They relied on medical reports opining that the incident had exacerbated certain pre-existing symptoms. Nicklin J indicated that he did not understand why these claimants had approached matters this way, rather than seeking to amend their original claim form: see [68]-[70]. Ultimately, Equiniti consented to an application to amend the first claim form instead.
Quantum: leaving aside the personal injury cohort, see [9]: “Each claimant claimed damages of £2,000 for misuse of private information, and a range of £1,064.80 and £2,606.20 for the data protection claim. The basis used to calculate these figures (which, in respect of the data protection claim, were oddly precise) has not been explained”. At the hearing, the claimants indicated that they expected to recover in the region of £1,250 to £1,500 per head.
Costs outlook, as compared to quantum sought: Nicklin J appears to have been concerned by the comparative costs of the litigation: up to the issuing of the claim, the claimants had incurred costs of around £2,500 each, and things would then escalate for the litigation itself (see [11]-[12]). The claimants were clear that (i) individually, these would be small claims County Court matters, but class litigation was needed to make things work economically, and (ii) the MPI claim brought them the advantage of being able to recover ATE premiums (which are not recoverable for pure DP claims).
Anonymity: initially, all of the claimants sought and obtained anonymity in respect of their names and addresses. Nicklin J was not impressed by the case for maintaining such an approach, and ultimately set aside the original order and granted a much more focused and adequately evidenced application in respect of a small number of claimants: see [129]-[136].
The defendant’s position: Equiniti denied liability, taking points including the following: Equiniti was a processor rather than a controller; not all affected data was private; this incident was not a misuse and was not actionable under the GDPR or MPI causes of action, including on threshold of seriousness grounds. Crucially, Equiniti applied for the claims to be struck out or dismissed by way of summary judgment.
What happened? Equiniti succeeded in having all bar 14 of the 450+ claims struck out or dismissed by way of summary judgment.
Why? The claimants pleaded that, unless Equiniti could prove otherwise, an inference should be drawn that their ABS envelopes were opened and read by unknown third parties. No pleaded basis for that inference was given. Equiniti disputed the inference. The claimants also pleaded that, even in respect of those whose envelopes were returned unopened, compensation was available because they had been “put at significant risk of being opened and read by unknown third party recipients”.
The envelopes containing the ABS were marked ‘private and confidential’ and had a return address. As regards the claimant pool, 101 envelopes were returned to Equiniti unopened; a further 74 had been forwarded to claimants unopened or otherwise successfully retrieved by the claimant (see [60]). One of the claimants even claimed on the basis that his father had opened his letter and forwarded it to him; Nicklin J unsurprisingly thought this was pretty hopeless.
Crucially, only 14 claimants pleaded a case about the opening of their envelopes beyond the inference on which they all relied, and in only 2 of those cases was it alleged that the ABS was opened or read by someone other than a family member or colleague.
This was fatal. Nicklin J drew on defamation law principles that eschewed the sort of inference the claimants relied on. And the upshot was, at e.g. [143]: “In my judgment, to have a viable claim for misuse of private information and/or data protection, each Claimant must show that s/he has a real prospect of demonstrating that the ABS was opened and read by a third party. Without that, the relevant Claimant would have no real prospect of demonstrating that there had been “misuse”, an essential element of the tort of misuse of private information…”
Inference is insufficient on its own: the pleaded case gave no basis for that inference. Inferences require sound evidential footings. “Absent some facts that would compel a different conclusion, the Court will not draw the inference that a letter addressed to a named recipient, clearly marked “private and confidential”, will be opened by a third party who is not the named recipient or authorised by him/her to open correspondence addressed to named recipient” (see [148]-[154]).
Mere risk of opening was also insufficient, both for MPI and GDPR claims: “A near miss, even if it causes significant distress, is not sufficient. Without the contents of the ABS coming to the attention of a third party there is no viable claim for misuse of private information” (see [145]-[146]).
What about the 14 that did plead that their envelopes were in fact opened? At least some of these smacked of triviality or very low impact/very ambitious compensation claims. But Nicklin J was not prepared to strike them out or dismiss them summarily: see [155]-[164]. He did not determine arguments about thresholds of seriousness (including the question of whether there is one under the GDPR, at least in the UK: at CJEU level, see UI -v- Österreichische Post AG), and he was not prepared to strike them out as a disproportionate abuse of process on Jameel grounds, given that only 14 claims survived, and the Court could find a way to manage those proportionately. Had liability not been in issue, these claims would clearly be for the small claims track of the County Court (see [163]). As to how they should in fact progress, Nicklin J intimated that there may need to be a trial of a preliminary issue as to whether Equiniti is a controller or a processor or possibly a trial on liability. The way forward in relation to the 14 remaining claims will be determined at a further hearing.
11KBW’s Andrew Sharland KC and Hannah Ready, instructed by Freeths, acted for Equiniti.
Robin Hopkins