Skip to main content
Legal case

Data breach litigation — more useful High Court guidance

The High Court provided further guidance on two important issues in data breach claims.

In Underwood v (1) Bounty UK Ltd (2) Hampshire Hospitals NHS Trust [2022] QB the High Court provided further guidance on two important issues in data breach claims — the requisite threshold of seriousness and claims for exemplary damages.

The facts of the claim are of less importance than the guidance provided. Briefly, the first defendant (“Bounty”) was fined £400,000 by the ICO in 2019 in respect of data harvested from expectant mothers that it sold on to third parties. The claim against the hospital as second defendant was dismissed on the basis that the unlawful conduct was solely by Bounty and there was no breach of data protection legislation by the hospital. In dismissing the claim, Nicklin J also held:

  • There was no positive act on the part of the hospital that could constitute misuse of private information (‘MPI)’. It was insufficient to sustain a cause of action in MPI that the hospital permitted the Bounty representative access to the claimants.
  • Even if a claim in MPI was viable, the information in question was “trivial”, amounting only to the name, gender, and date of birth of the second claimant child. Such information did not reach the “level of seriousness required before the tort is engaged”.
  • The claim for exemplary damages was misconceived and should never have been included. Such claims are “wholly exceptional”.

This decision from the judge in charge of the Media and Communications List provides further helpful guidance in the field of data breach litigation where claims for MPI and exemplary damages are often inappropriately included simply as a matter of course and, where it is often argued, that insignificant personal data grounds a claim for damages.     

The judgment also sits neatly alongside the decisions in Warren v DSG Retail [2021] EWHC 2168, in which the court dismissed a claim in MPI arising out of a cyberattack, and Rolfe v & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 in which a low-level claim was dismissed on de minimis principles.

If you’d like to discuss the content of this article in detail, or if you’d like any further assistance relating to data claims and cyber, please contact Peter Wake directly or visit our technology and cyber page.