Introduction
Claims before the courts in both the UK and EU countries for compensation for alleged privacy violations continue to be brought in ample quantity.
In the recent case of Graeme Smith & Others (“the individuals”) v TalkTalk Telecom Group PLC (“TalkTalk”) the UK High Court dismissed the individuals’ claim that TalkTalk could be liable for misuse of private information by creating a situation of vulnerability whereby the individuals’ data was open to exploitation by third parties. But, the court allowed the data protection infringement claim to continue. This article briefly highlights the key points in the case.
What’s this all about?
The individuals who brought the claim were customers or prospective customers of TalkTalk and/or family members. They claimed that TalkTalk stored and processed their personal data and that their personal data had been obtained from TalkTalk’s IT systems by unknown criminal third parties who used it to commit fraud against the individuals.
The claim concerned two main data breach incidents along with a claimed category of “unconfirmed” data breaches; one of the two main incidents concerned the actions of a third-party service provider and resulted in a £100,000 fine imposed by the UK’s data protection regulator the ICO, and the other incident concerned a cyber-attack and resulted in a £400,000 fine imposed by the ICO.
With regard to the two main incidents, certain individuals alleged that TalkTalk had failed to adequately protect their data, and, with regard to the “unconfirmed breaches” certain other individuals alleged that they had been “scammed by criminals who (as a matter of obvious inference) were using data held by [TalkTalk] and which must have been subject of a data breach”.
The claims concerning the two main incidents were for damages for the tort of misuse of private information along with compensation for breach of statutory duty under the Data Protection Act 1998 (which was the previous UK data protection regime). The claims concerning the “unconfirmed breaches” were for compensation under the Data Protection Act 1998.
TalkTalk applied to strike out and/or dismiss the misuse of information claims summarily.
What did the court rule?
The court ruled as follows:
- It rejected the misuse of private information part of the claim;
- According to the judge, “[a]lthough the [individuals] allege that [TalkTalk] took positive steps which resulted in their personal data being vulnerable to unauthorised access by third parties, those steps cannot constitute the “misuse” which caused the damage alleged in the claim. The misuse of information that caused the [individuals] the alleged harm is the criminal obtaining and use of information by fraudsters to scam them out of money”;
- Further, “[…] if a data controller knows that a system is defective and is being exploited by criminals to take information, that conduct does not give rise to liability for the tort of [misuse of private information]. That person may well be liable for a number of different breaches of principles of the [Data Protection Act 1998] or other civil wrongs. But they are not themselves in any true sense misusing the [individuals’] information within the tort of misuse of private information. The person “misusing” is the criminal hacker”;
- Instead, according to the judge, the claim was “a pure data protection claim” and the judge concluded that the individuals had provided enough to set out the “essential elements” concerning the “unconfirmed breaches”, although this inferential case was “not the clearest”. According to the judge, “[…] in a situation where a customer was the victim of an attempted scammer who had details of the customer’s TalkTalk account, it is a proper inference that the scammer had obtained the information from a vulnerability in [TalkTalk’s] systems (and thus a data breach)”; and,
- The judge also pointed out that “[…] the fact that there has been an incident affecting an individual’s personal data does not per se mean that [TalkTalk] is legally liable in respect of that incident; there is no such strict liability provided for under the [Data Protection Act 1998]”. “The [individuals] accept this. They do not argue that the simple fact of access to their data creates liability. Their pleading, although it could be better expressed, appears to me to rely on the breach of seventh principle [essentially, the obligation to keep data secure] by way of inference (and a number of additional principles)”. Accordingly, the judge ordered that the individuals amend their pleading to clearly set out their case.
The case will therefore continue, on the data protection aspects.
What are the takeaways?
The Court’s ruling is clear in that, for a party to be found liable under the tort of misuse of private information, a party must carry out a positive act from which (alleged) harm is caused to an individual/individuals, which in effect most likely rules out bringing a claim for misuse of private information in relation to third-party hacking incidents.
The upshot is that, in the UK, the only likely viable option for claims for compensation for privacy infringements will be to bring them in relation to data protection law (essentially, the UK Data Protection Act 2018) – this said, recent judgements in the UK have pushed back on such claims, and even where a claim is successful, compensation is more likely to be at the lower end of the scale in amount.
Generally-speaking with regard to compensation claims alleging data protection infringements, considerations for businesses including the following:
- Make staff and the Board aware of both individual and class-action claim risks for alleged data protection breaches;
- Set up and undertake regular compliance audits or reviews in order to identify, rectify and prevent issues that could involve either an individual claim or a class-action claim;
- Check the liability provisions in vendor agreements and revise them where appropriate;
- Consider looking into insurance cover issues; and,
- In case you are on the receiving end of a claim ensure that you act fast!
More information
We have reported on data protection claims issues recently here https://www.corderycompliance.com/ecrca-dpc/, and here https://www.corderycompliance.com/thebountycase/, and here https://www.corderycompliance.com/ali-v-luton-rogue-employee/ & here https://www.corderycompliance.com/dp-infringement-stadler-currys/ & here https://www.corderycompliance.com/damages-minor-dp-infringement/ & here https://www.corderycompliance.com/lloyd-v-google-ruling/.
Our FAQs about EU representative action/class-action rules can be found here https://www.corderycompliance.com/eu-class-action-faqs/.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For information about our Cordery GDPR Navigator tool please see http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/
The UK Court’s ruling can be found here: https://caselaw.nationalarchives.gov.uk/ewhc/qb/2022/1311?s=09
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |