There’s no doubt that data protection litigation continues to be a hot topic. Claims for compensation for alleged data protection infringements continue unabated. Whilst the recent UK Supreme Court ruling in the Lloyd v. Google mass claims case has been most prominent recent case there have also been other cases of note in particular about legal issues with claims where the alleged data protection infringements are minor. Recent cases include the Rolfe v. Veale case concerning the threshold for distress claims which we wrote about last month (see https://www.corderycompliance.com/ukdp-damages-claim-threshold/). The recent case of Emma Louise Johnson v. Eastlight Community Homes Ltd. is another similar noteworthy case where, amongst other things, the court ruled that minor cases like these should be brought at the lower court level. This article sets out highlights of the case.
What’s this all about?
Eastlight Community Homes Ltd. (“Eastlight”) provided low-cost social housing and Emma Louise Johnson (“Mrs. Johnson”) was one its tenants. On 1 September 2020 one of Eastlight’s other customers (“the third party”) requested a rent statement. Around 1.22pm, one of Eastlight’s employees sent a response by email but at the same time accidentally attached a compilation of rent statements of other Eastlight customers. Mrs. Johnson was amongst those customers and her personal information that was disclosed (appearing at pages 880-882 in a document of 6,941 pages) included her name, address, and recent rent payments made to Eastlight. The third party immediately notified Eastlight of the error by phone and was asked by Eastlight to delete the e-mail which at 3.45pm the third party confirmed had been done.
Eastlight emailed Mrs. Johnson on 20 September 2020 to apologise, inform her about the error and the fact that the information had been deleted, and to say that the data breach had been reported to the Information Commissioner’s Office (“the ICO”). Although Eastlight was of the view that reporting to the ICO was not necessary it nevertheless decided to report and when the ICO responded a few weeks later it confirmed that no action was required or would be taken as a result of the inadvertent data breach.
What happened next?
Mrs. Johnson made a claim against Eastlight which was eventually brought to the UK High Court seeking damages limited to £3,000. Mrs. Johnson alleged that the disclosure of her address possibly becoming known to her ex-partner had caused her distress.
The legal bases for the claim included misuse of private information, breach of confidence, negligence, human rights breaches, and breach of the general principles of the General Data Protection Regulation (“GDPR”).
Under the de minimis principle, at common law, whilst in principle damages can be recovered for data protection law infringements, including simply for distress caused, any distress must not be trivial. Mrs. Johnson argued that, amongst other things, this de minimis principle should not apply to claims concerning GDPR.
Mrs. Johnson also applied for an injunction to prevent this type of infringement occurring again.
The claim also stated that over £15,000 had already been incurred in costs with a total figure for costs just in excess of £50,000. Eastlight denied the claim and applied either, to have it struck out, or for summary judgment (a means to dispose of a case promptly without a full trial) as it had no real prospect of success.
What was the ruling?
The court ruled as follows:
- The de minimis concept is applicable to claims under GDPR, and also the UK Data Protection Act 2018. The court also noted that in Germany a court had ruled that GDPR (Article 82) does have a de minimis threshold and that, according to the German court, this “should not be construed in such a way that it justifies a claim for damages for every individually perceived inconvenience or for minor breaches without serious detriment”;
- The application for an injunction was “misconceived”;
- The information disclosed was simply routine and Mrs. Johnson’s distress was “more in the realms of the unknown or the hypothetical than in reality” and which was “historic rather than current”;
- Claims collateral to the GDPR claim would be “likely to obstruct the just disposal of these proceedings and take up disproportionate and unreasonable court time and costs”;
- There was no basis for issuing the claim in the High Court as the financial threshold was not met and the subject matter of the claim did not elevate it to High Court status. In fact, bringing this case to the High Court “constituted a form of procedural abuse”. As the court put it: “No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000.”;
- However, because, according to the court, the real point in this case was whether Mrs. Johnson was entitled to “purely nominal or instead extremely low damages” and because “the court should strive to provide a remedy to any litigant if it can”, the claim was not to be entirely struck out but instead was to be redirected to the more appropriate forum of the County Court, most likely to the Small Claims Track there.
So, procedurally the next steps would be to decide on the location and transfer of the case, and to determine costs.
What are the takeaways?
The main takeaways are as follows. First, data protection infringement compensation claims involving trivial incidents should only be brought in the County Court. Second, “kitchen-sink” style claims alleging a raft of legal infringements (i.e. not just data protection infringements) are common and will likely continue. Third, bringing such trivial incident cases may have serious costs implications for those bringing them, including where the “kitchen-sink” parts are dismissed especially if costs issues are finally decided by the High Court (cases brought in the County Court will have a reduced cost exposure though for those bringing claims). Fourth, it is interesting that the court referred to German case-law about GDPR damages issues and so when dealing with data protection infringement compensation claims it is worth looking at cases from other jurisdictions, an approach that we have always adopted at Cordery.
Data protection infringement compensation claims involving trivial incidents abound and it can be expected that individuals will not be deterred by rulings like this one and individuals will continue to bring similar cases (possibly at the High Court level too). Organizations should therefore be prepared and consider managing these cases with care. Our experience is that a firm reply to the letter before action from lawyers experienced in these type of cases is key. The rules around bringing these cases can be complex and often a series of “kitchen-sink” style legal aspects are put forward. But, by taking the time to understand the process, an organization can get hands-on with a claim brought against it at a very early stage and be equipped to deal with it effectively.
Cordery’s GDPR Navigator subscription service is an expansive set of resources and a community of peers helping companies deal with GDPR and related issues. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
We’ve written about data protection compensation issues including here https://www.corderycompliance.com/ukdp-damages-claim-threshold/, here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/, here https://www.corderycompliance.com/scope-restrictions-data-breach-comp-claims/, and here https://www.corderycompliance.com/aven-v-orbis-compensation-awards/.
The court’s judgment can be found here https://www.bailii.org/ew/cases/EWHC/QB/2021/3069.html.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.
We report about compliance issues here https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|