Skip to main content

Data breach claims – a step in the right direction

Should even low level (and low value) data protection claims be issued out of the Media and Communications List (MACL) of the High Court?

In our recent data protection claims webinar, one of the topics covered was the argument by claimants that even low level (and low value) data protection claims need to be issued out of the Media and Communications List (MACL) of the High Court. This is based on a misinterpretation of CPR 53.1(3) which confirms that High Court claims that include “a claim in data protection law” must be issued out of the MACL. However, any such claim needs to be suitable for the High Court in the first instance.

Confirmation that such claims are suitable for the relevant local county court was recently provided in B v D Council [2020]. In short, the claim involves an isolated data breach arising out of human error when an email containing limited personal data was sent to a third party. The error was swiftly rectified, the council apologised and a breach of the GDPR was admitted. Despite the defendant’s pre-litigation confirmation that the claim was suitable for the county court, the claimant issued the claim out of the MACL of the High Court in London. The defendant’s application to transfer the claim to the local county court was successful, Senior Master Fontaine holding that:

  • Practice Direction 7A 2.9A confirms such claims may be started in the county court and factors to consider are value, complexity and the importance of the outcome to the public.
  • Similarly, the criteria in CPR r.30.3(s) apply, including value, convenience, complexity and the need or otherwise for a specialist judge.
  • Applying these factors, the claim was very much at the lower end of the spectrum of complexity and importance and it was disproportionate for the claim to occupy the resources of the High Court.
  • The allegations of negligence and breach of Article 5(1)(f) GDPR (organisational deficiencies) took matters no further. This was a case of simple human error that is a fact of modern life and the breach was admitted.
  • In addition to the claim meeting the relevant criteria for the county court, the Senior Master was concerned to note the claimant’s “wholly disproportionate” costs budget of nearly £30,000 and considered it significant that the claim involved the public funds of a local authority.

The claim was transferred to the county court local to both parties and the claimant was ordered to pay the defendant’s costs of the application.

Comment

This is a helpful decision for defendants generally (and public bodies in particular) who are dealing with increasing numbers of low level data breach claims that are being unnecessarily over-complicated in a way that increases costs. Arguments that such claims are suitable for the High Court often appear as standard in letters of claim. This point should be addressed in protocol response letters such that the defendant’s position is clear and, as here, it may secure its costs of the court adjudicating on the issue at a later date.

Peter Wake, Partner and Head of Local Government Litigation at Weightmans LLP acted for the Defendant in this case. 

The Weightmans Cyber Team (CyXcel) provides advice to a whole spectrum of organisations on matters relating to data protection, cyber resilience, response and liability.

Share on Twitter