High Court rules there is no liability for a de minimis data breach

Back in 2018, Richard Lloyd launched an opt-out class action lawsuit against Google on behalf of over four million people, for perceived breaches of data protection law – three years later, the words Lloyd v Google are (for some of us) all too familiar as we await the hotly-anticipated judgment of the Supreme Court. This article doesn't look back at the road already travelled (you can read our extensive coverage on our UpData blog) or focus on the hugely significant effect Lloyd could have on group claims in the UK (for that, see here). Rather, we and the Courts are starting to think about how such group claims might actually be brought, in particular, in light of some welcome guidance in the recent case of Rolfe & Ors v Veale Wasbrough Vizards LLP.

The de minimis principle

The argument put forward by Google is that the Supreme Court should be alive to the risk of opening the floodgates to mass class action litigation in the UK. Certainly, if the Court of Appeal's judgment in Lloyd v Google is upheld, opt out data class actions will almost inevitably become a hugely significant and complex part of the litigation landscape, for almost all corporates in every sector. One way the Supreme Court can be expected to manage this risk, if indeed they choose to do so, is by applying a de minimis threshold to data loss claims.

In the Court of Appeal judgment, Sir Geoffrey Vos C noted it was common ground that a de minimis threshold should be applied to damages claims for breaches of the Data Protection Act 1999, applying the approach of Mitting J in case of TLT and others v The Home Office [2016]. Whilst Mitting J provided little clarity on how the de minimis threshold should be applied in principle (he only noted that it should be applied), Sir Geoffrey Vos thought that such a threshold excluded "for example, a claim for damages for an accidental one-off data breach that was quickly remedied" (recognising that the facts of Lloyd v Google did not fall within this exemption).

Welcome guidance in Rolfe & Ors v Veale Wasbrough Vizards LLP

It is fair to say that case law up until 2020 has left data controllers with little guidance on how the courts will deal with claims concerning data breaches. This is why the recent High Court judgment in Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) makes for interesting reading and is welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach.

The Defendants were lawyers who represented a school run by Moon Hall Schools Educational Trust (the School). The first two Claimants owed a sum of school fees, and the School had instructed the Defendants to write to the first two Claimants with a demand for payment. The email was sent to the wrong recipient who promptly responded, indicating that they thought the email was not intended for them. The Claimants (the intended recipients) brought a claim for damages for misuse of confidential information, breach of confidence, negligence, damages under s82 of the GDPR and s169 Data Protection Act 2013, plus a declaration and an injunction, interest and further or other relief.

Applying Sir Geoffrey Vos’s approach, the Court held that there was no credible case that distress or damage over a de minimis threshold could be proved. On the question of what harm had been done to the Claimants, the Master held that the claim was “plainly exaggerated” and the suggestion that any distress or worry was caused was a “frankly inherently implausible suggestion”. In the Master’s judgment “no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.” He later added that “In the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial. The case law…provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.”

This is welcome relief for defendant’s who may be faced with low-level and isolated data breach claims. It might not be such welcome news for claimants (and indeed claimant law firms) who will need to prove, beyond a de minimis threshold that their (or their client’s loss) is more than trivial - a one-off data breach with little impact – is unlikely to be sufficient.

The wait is nearly over

Interestingly, the time for appeal of the Rolfe & Ors v Veale Wasbrough Vizards LLP judgment was extended to 21 days after the handing down of the Supreme Court decision in Lloyd v Google. This is likely to be because one of the issues that the Supreme Court has been asked to consider is whether a non-trivial infringement of the Data Protection Act 1999, which does not cause pecuniary loss or distress can result in damages being awarded for “loss of control” of personal information.

So whilst the High Court application of the de minimis principle is interesting reading, the approach to be adopted going forward remains to be determined by the Supreme Court judgment, which is expected to be handed down next Wednesday, 12 November 2021. It seems inherently unlikely that the Supreme Court would determine that no de minimis threshold applied in law, and if they did so this would run contrary to suggested reform to the legislation – where it is suggested that in the future data controllers may only need to report breaches that are ‘material’ (see here). We can expect, at a minimum, that the Supreme Court will agree with Sir Geoffrey Vos's interpretation, as has since been applied in Rolfe, but how much further it will go in limiting prospective data breach claims remains an answer we are waiting for.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.