The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
This article is taken from November's public matters newsletter. Click here to view more articles from this issue.
In recent years something of an industry has developed around claims arising from data breaches. Historic and often admitted data breaches became the source of lengthy and apparently standard pre-action correspondence sent on behalf of claimants engaged in ‘no win no fee’ arrangements and backed by after the event (“ATE”) insurance. Changes to the cost recovery rules had prohibited the recovery of ATE premiums in many classes of action, but a carve out existed for privacy cases. Therefore, in order to ensure a claim stayed within the carve out, claimant firms had to include privacy grounds as part of any threatened claims. Such claims were often settled on commercial grounds with a compensation payment in the low thousands but with costs demanded at five times or over that amount plus the ATE premiums, which themselves could be relatively high.
At the same time, privacy campaigners such as Lloyd and Vidal-Hall were pursuing litigation seeking to secure the recovery of damages for data breaches alleged to have been committed by global internet providers. A potential tsunami of data breach cases appeared on the horizons of all of us who practice in this area. Thankfully three recent decisions have operated to significantly reduce that threat while at the same time limiting the types of action available to claimants in what are likely to be a significant proportion of common data breach scenarios.
On 10 November 2021, the Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50 (Lloyd v Google). The Supreme Court’s judgment, together with two recent High Court cases discussed below, have significantly limited the availability of damages for “technical” breaches of the data protection legislation where the claimant has failed to demonstrate any actual damage or distress.
As many of you will be aware, Lloyd v Google was a case about the ‘Safari Workaround’ software installed by Google on Apple iPhones. This software allowed cookies to track users across websites, enabling Google to offer targeted advertising for financial gain. A representative claim for damages for breach of the Data Protection Act 1998 (“1998 Act”) was brought by Mr Lloyd on behalf of himself and the millions of other individuals purportedly affected by this software. Our previous article on this case sets out the factual background in more detail.
On the issue of damages, the Court of Appeal had previously held that damages are, in principle, capable of being awarded for loss of control of personal data under the 1998 Act without the need to prove financial loss or distress. The Supreme Court disagreed. In a unanimous decision, the Supreme Court held that while ‘loss of control’ damages were potentially available where the tort of misuse of private information was pleaded (citing Gulati v MGN Ltd [2017] QB 149), no such damages were available for claims brought under section 13 of the 1998 Act. Rather, to obtain compensation for a breach of the 1998 Act, each claimant needed to demonstrate that there had been wrongful use made of their personal data and that he or she had suffered “material damage or distress”. In the present case, there was no such evidence.
It is important to note that the Supreme Court was considering damages available under the 1998 Act, and there was no consideration of the position under the GDPR (now known as the “UK GDPR”). Our initial view is that the Court’s reasoning applies equally to the current regime and ‘loss of control’ damages will not be available for breaches of the UK GDPR where there has otherwise been no real damage or distress. However, claimant law firms are unlikely to accept this view of the law without testing the issue and further judicial consideration will ultimately be required.
The Supreme Court’s decision is of even greater significance to data controllers who are defending data breach claims when read with two decisions of the High Court earlier this year: Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (“Warren”) and Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) (“Rolfe”).
Warren concerned a clam brought by a customer against Dixons Carphone following a cyber attack that had penetrated its systems and in respect of which it had received the maximum fine from the ICO. As is usually the case in claims of this type, the Claimant had alleged misuse of private information, breach of confidence, breach of the 1998 Act, and negligence. Dixons Carphone successfully applied to have all of these heads of claim struck out except that relating to the failure to have adequate security in place as required by the seventh data protection principle contained in Schedule 1 to the 1998 Act. The Court allowed the application for strike out because neither the duty of confidence nor the right to privacy imposed a data security duty on the holders of information (even if that information was private or confidential). Rather, these areas of the law were concerned with prohibiting actions by the holder of information which are inconsistent with the obligations of confidence/privacy. Simply put, there needed to be some “positive action” (which may include unintentional use) on the part of the data controller to establish a cause of action for misuse of private information or breach of confidence. No such positive action had occurred in Mr Warren’s case.
The High Court also reaffirmed the principle that there was no duty of care where the statutory duties under the 1998 Act were in play (citing, Smeaton v Equifax Ltd [2013] 2 All ER 959). In any event, there was no duty of care owed by the controller to the data subject in the circumstances of this case, and damages for mere distress were not available for the tort of negligence.
In Rolfe, the High Court was required to decide (in light of an application for summary judgment filed by the Defendant) whether there was a reasonable prospect of the claimants showing that the loss and damage claimed crossed the de minimis threshold. The data breach in question occurred after a school had instructed the Defendant firm of solicitors to write to the first two claimants with a demand for payment of school fees, and the email sent by the Defendant (consisting of a letter and a copy of the statement of account for the third claimant child) was sent to the wrong email address after the mother’s email address was typed incorrectly. The third party who received the email did not know the claimants personally and confirmed to the defendant that she had deleted the email after being promptly asked to do so by the defendant when notified of the error.
The Court held that a claim cannot succeed where any possible loss or distress is not made out or is trivial; there needs to at least be some material damage. Taking into account the nature of the breach, the nature of the information and the steps taken to mitigate the breach, the Court considered that it was no more than fanciful to suppose either that actual loss had been suffered, or that distress has been suffered above a de minimis level. Nor was there any real loss of control of personal data with any financial value of the type relevant in the cases of Lloyd v Google and Gulati discussed above.
The cases summarised above give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself. The removal of privacy claims from many data breach cases means that the carve out referred to above is no longer available and ATE premiums will accordingly not be recoverable. It is hoped that this will have a chilling effect on the claimant industry and stem the tide of unmeritorious and exaggerated data breach claims.
For more information or assistance please contact Ros Foster and Matthew Alderton.
Senior Associate
matthew.alderton@brownejacobson.com
+44 (0)330 045 2747
Law firm Browne Jacobson has collaborated with Wiltshire Council and Christ Church Business School on the launch event of The Council Company Best Practice and Innovation Network, a platform which brings together academic experts and senior local authority leaders, allowing them to share best practice in relation to council companies.
In the Autumn Statement delivered on 17 November, rises to the National Living Wage and National Minimum Wage rates were announced, to take effect from 1 April 2023:
Announced in September but scrapped on 17 November the investment zone proposals were very short lived. The proposal has now morphed into the proposal for a smaller number of clustered zones earmarked for investment.
Settlement agreements are commonplace in an employment context and are ordinarily used to provide the parties to the agreement with certainty following the conclusion of an employment relationship. There are already restrictions on the extent to which personal injury claims can be settled by a settlement agreement. There have also been numerous consultations about the use of non-disclosure agreements and confidentiality clauses, particularly where allegations of sexual harassment and discrimination have been raised. In any event, it is clear that settlement agreements should not be used to prevent an employee from raising a protected disclosure.
On 2 November 2022, the Supreme Court handed down its judgment in the much awaiting case of Hillside Parks Ltd v Snowdonia National Park Authority [2022] UKSC 30. The Court’s judgment suggests that the long established practice of using drop-in applications is in fact much more restricted than previously thought. This judgment therefore has significant implications for both the developers and local planning authorities.
In ‘failure to remove’ claims, the claimant alleges abuse in the family home and asserts that the local authority should have known about the abuse and/or that they should have removed the claimant from the family home and into care earlier.
Across the UK, homelessness is an urgent crisis, and one that is set to grow amid the rising cost of living. Local authorities are at the forefront of responding to this crisis, but with a lack of properties that are suitable for social housing across the UK, vulnerable individuals and families are often housed in temporary accommodation.
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Settlement agreements in an employment context are ordinarily used to provide both parties with certainty following the conclusion of an employment relationship – but what happens when there is alleged discrimination after entering into a settlement agreement?
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Updates include UK Shared Prosperity Fund, contracts, Subsidy Control Bill, data controller liability, Government Covid-19 procurement and Highway Code revisions.
The complex and rather nebulous transitional subsidy control regime set out in the UK-EU Trade and Co-operation Agreement and the UK’s wider international commitments has made it difficult for public authorities and those working with them to proceed with certainty where subsidies are involved.
Investment zones have been introduced by the Conservative party to get the United Kingdom (UK) ‘working, building and growing’. They are to be designated sites which provide time-limited tax incentives, streamlined planning rules and wider support for local growth to encourage investment and accelerate the development of housing and infrastructure that the UK needs to drive economic growth. Processes and requirements that slow down development will be stripped back with the intention of attracting new investment.
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Three months on from the commencement of the new statutory Integrated Care Systems (ICS) Anja Beriro and Gerrard Hanratty reflect on the main themes and issues that have come from the new relationship between local government and health.
The Procurement Bill (the Bill) has now been with us for about four months, during which time there have been a huge number of amendments proposed in the House of Lords (circa 320). Lately, there has been less mention of it — unsurprising, really, given everything else going on in politics recently — but here’s a summary of some of the key issues and themes so far.
Browne Jacobson has been named as a supplier on Crown Commercial Service’s (CCS) Public Sector Legal Services Framework on Lot 1a – full-service provision (England and Wales) and Lot 2a – general service provision (England and Wales).
Browne Jacobson has been ranked as a Top Tier law firm in 25 key practice areas in Legal 500 UK 2023, the independent directory of comparative law firm performance. The firm also continues to underpin its status as one of the leading law firms in the East Midlands region with 16 Tier 1 rankings.
Welcome to our September edition of Public Matters, our monthly round-up of legal updates, news and insights for the public sector.
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
The Chancellor’s recent mini-budget provided a significant announcement for business as it was confirmed that the off-payroll working rules (known as “IR35”) put in place for public and private sector businesses from 2017 and 2021 will be scrapped from April 2023.
Devolution is the transfer of powers in areas like transport, housing and skills in England and since the Cities and Local Government Devolution Act 2016 has been a much-discussed topic.
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
The Department for Levelling Up, Housing and Communities (DLUHC) has published a consultation on proposals to require Local Government Pension Scheme (LGPS) administering authorities (AAs) in England and Wales to assess, manage and report on climate change risks.
The concept of Legal Project Management (“LPM”) is increasingly relevant to the delivery of legal services, both in-house functions and private practice law. This is unsurprising, LPM is crucial if lawyers are to add value by controlling budgets, communicate pro-actively on risk mitigation and costs, and manage time by resourcing to deal with pinch points in the project.
The Department for Education (DfE) have announced that the conversion of Donisthorpe Primary School in Leicestershire on 1st September marked the 10,000th academy conversion.
Welcome to our August edition of Public Matters, our monthly round-up of legal updates, news and insights for the public sector.
On 31 August 2022, the Court of Appeal handed down the Judgment in respect of the appeal case of HXA v Surrey County Council and YXA v Wolverhampton City Council [2022].
This month, HM Treasury issued a consultation on Administrative Control Process for Public Sector Exits with draft guidance. They’re proposing to introduce an expanded approvals process for employee exits and special severance payments, and additional reporting requirements. If approved, the proposals will impact public sector bodies and those that do not have a specific right to make exit payments.
The focus on the Levelling Up agenda and the availability of grant funding, means there are numerous important regeneration schemes actively being pursued across the country. With ever-escalating project and building costs, in many cases, applications that were made for grant funding were based on costs contingencies that have already been exceeded.
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
The Government has recently published its response to the consultation on Subsidies and Schemes of Interest and of Particular Interest under the Subsidy Control Act 2022. In this article, our subsidy control experts discuss some of the key points coming out of the response, and their impact for public authorities.
Deprivation of Liberty Safeguards was due to transition to Liberty Protection Safeguards in October 2020 but delayed due to the pandemic. While the public consultation has now closed and we’re still unclear of what the final legislation and code will look like, it’s worth noting and keeping a watching brief.
In November 2021, The Civil Justice Council’s published its interim report on proposed changes to the current Pre-Action Protocols, which included a mandatory Alternative Dispute Resolution (ADR) gateway. In this article, we look at proposed reforms and consider what this could mean for your case.
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
