Data breach claim suitable for small claims track
How the court dealt with the reliance of complexity arguments in this particular case
Readers may recall our recent update on the case of B v D Council  in which Senior Master Fontaine transferred a low value data claim from the High Court in London to the local county court. The Senior Master held that the claim was very much at the lower end of the spectrum of complexity and importance and it was disproportionate for the claim to occupy the resources of the High Court.
Following the transfer of the claim to the county court, the District Judge considered the papers and allocated the claim to the small claims track (SCT). The claimant promptly applied to vary the order and seek reallocation to the multi-track (or alternatively to the fast track). The application was dismissed. Applying the relevant criteria in CPR 26.8(1), the claim was plainly suitable for the SCT:
- The value of the claim was squarely within the SCT.
- Whilst the remedies, including an injunction, were arguably complex, the injunction was unlikely to succeed on the facts and the court was required to consider the “likely prospect of success” of such arguments when dealing with track allocation.
- Liability was admitted and the law relating to damages was not complex. In any event, matters of law were commonly argued on the SCT.
- Whilst allocation to the SCT might impact on the availability of legal representation for the claimant, when considered alongside the issue of proportionality and potential costs in excess of £30,000 (the claimant having previously served a costs budget totalling £29,000), the SCT was the appropriate track.
This is a welcome decision. Of particular importance is how the court dealt with the reliance on complexity arguments relating to the claimant’s ongoing claims for an injunction, a declaration and allegations of negligence. The court rightly looked past the labels and considered the true contents of the bottle. On the facts of the case, such arguments had little prospect of success and this was relevant to the issue of allocation to track. Further, the claim in negligence (which had not been presented pre-action) was effectively redundant. Liability for improper processing of personal data was circumscribed by the statutory data protection regime in the DPA 2018 and GDPR and there was no co-extensive duty of care (as confirmed in Smeaton v Equifax Plc  EWCA Civ 108).
The Weightmans Cyber Team CyXcel provides advice to a whole spectrum of organisations on matters relating to data protection, cyber resilience, response and liability.Find out more about CyXcel