Data breach litigation — where are we now and what lies ahead?

When a legal term or acronym enters everyday parlance, it generally indicates that knowledge of the underlying subject has expanded beyond the norm. We have seen it with ‘whiplash’, ‘PPI’ and arguably now with ‘GDPR’. In May 2021, it will be three years since the General Data Protection Regulation came into force. In this article, and with a focus on low-level data breach claims, we consider the current landscape, the direction of travel and what may be appropriate if further control measures are required.

The current landscape

The GDPR contains important and demanding obligations for data controllers. However, it did not bring forth entirely either new liabilities or a regime for individuals to claim compensation when one did not exist previously. Whilst the GDPR and the Data Protection Act 2018 arguably strengthened the rights of individuals and imposed new requirements on data controllers, a mechanism for redress was already contained within the Data Protection Act 1998. Further, case law had confirmed that data subjects could be awarded damages for distress even if no financial loss was suffered (per the Court of Appeal judgment in Vidal-Hall v Google [2015], the internet giant surprisingly withdrawing its appeal to the Supreme Court).

However, it is undoubtedly the case that organisations (particularly those in the public sector) are receiving increasing numbers of data breach claims. There appear to be a number of reasons for this:

• The digital age — the volume of data that is produced, collected, stored, analysed and processed has increased exponentially in recent times.
• Awareness — even a cursory use of the internet, whether to browse or to shop, will confirm to the user that organisations are obliged to proceed with caution when collecting and using personal data. With permission requests comes a greater understanding of individual rights.
• Advertising — an internet search using the words ‘data breach’ will bring up three or four firms of solicitors advertising their litigation services before one sees a link to the Information Commissioner’s Office further down the page.
• Revenue — as the traditional injury claims market diminishes with tighter control over legal costs, lawyers are exploring new revenue streams. The field of data breach claims is clearly seen as potentially fruitful, with scope for argument about the costs that may fall to be recovered.
• Loss of control damages — claimants are pursuing claims even when there has been no obvious privacy breach, arguing that simple mistakes that cause a ‘loss of control’ of an individual’s data may sound in damages (Per Lloyd v Google [2019] EWCA Civ 1599).

We look at some of these issues in more detail below.

Direction of travel

As these low-level data breach claims increasingly come into litigation, there are some common themes that are often contested between the parties:

• Protocol compliance — data protection claims are governed by the Media and Communications Protocol. It is important for defendants to adhere to the Protocol. Often the 14-day deadline for a response is neither feasible nor necessary and extensions should be sought as appropriate.
• Multiple causes of action — pro forma letters of claim often include multiple causes of action alongside an alleged statutory data breach (e.g. misuse of private information and breach of confidence). Often such causes of action are either not made out or take the claim no further than the statutory regime.
• Court venue — claimant representatives can pursue a misguided argument that any data protection claim must be issued out of the Media and Communications List of the High Court. This is plainly wrong and is supported neither by the Protocol nor the Civil Procedure Rules. It seems clear that low-level data breach claims will generally be suitable for the county court.
• Court track — this is perhaps the most hotly contested of the issues. In short, claimants seek allocation to the multi-track or fast-track on the basis that such an allocation gives rise to an arguable entitlement to standard costs. By contrast, allocation to the small claims track means that nothing beyond minor fixed costs are recoverable. Given that claimants are invariably signed up to Conditional Fee Agreements, the significance of allocation is obvious. There is no clear guidance and often the issue of allocation will be dictated by the specific facts of the case. However, it is suggested that many low-level data claims are suitable for the small claims track. There is some support for this position in a recent judgment of the Judge in Charge of the Media and Communications List (Mr Justice Warby). In the case of Ameyaw v PWC & Ors [2020], and in respect of a claim under the DPA 2018 relating to an alleged failure to comply with a subject access request, the judge held, “The proportionate means of disposing of this claim is to transfer it to the County Court, for resolution (I would think) in the small claims track.”
• Quantum — the quantification of data breach claims is a topic in itself. However, it is clear that a de minimis principle applies, i.e. if the data infringement is trivial then the court is entitled to refuse to make an award of damages. In Lloyd, the Court of Appeal stated that the “threshold of seriousness…would undoubtedly exclude…a claim for damages for an accidental one-off data breach that was quickly remedied”.
• Additional costs liabilities — since 6 April 2019, success fees are no longer recoverable in “publication and privacy proceedings”, although ATE premiums are. Interestingly, data protection claims are not included in the definition of “public and privacy proceedings”. In those cases where the statutory data protection regime provides adequate redress, such that further causes of action are not justified, then if it cannot be argued that costs are not recoverable it may still be possible to dispute the entitlement to recover the cost of an ATE premium.

What lies ahead

As can be seen, there are numerous litigation battlegrounds and it will take time for consistency to emerge. Further clarification of certain important issues, not least the issue of “loss of control”, will hopefully be dealt with clearly by the Supreme Court when it hears Google’s appeal in Lloyd later this year.

It is important that defendants and their insurers are well-versed in the key themes as often the tone of a claim and the foundation of an organisation’s position (and the supportive basis for later argument) is laid out at the pre-litigation stage. Given the fertile landscape for litigation that a lack of clarity can create, it is to be hoped that the Ministry of Justice will recognise that low-level data breach claims are not only disproportionately occupying court resources but also often turning into a dispute about costs. Such a situation is unsatisfactory and this field of litigation is arguably eminently suitable for a streamlined portal that provides for both prompt redress for claimants in appropriate cases and tightly controlled costs.