Trivial data breach claim struck out
This is a helpful judgment in a developing area of the law. It is suggestive of a ‘real world’ approach to claims of this type generally.
In a sensible and welcomed decision, the High Court has dismissed a low-level data breach claim on the basis that it was simply insufficiently serious to ground a viable claim. In a short and pithy judgment in Rolfe v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) Master McCloud granted the defendant summary judgment, commenting that:
“There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world, it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial”.
The claim was brought after the defendant mistakenly sent information regarding school fees to the wrong email address. The incorrect recipient contacted the defendant straight away and confirmed the letter had been deleted. Despite the email and attachment containing only a statement of account of fees and no other personal or sensitive data, a damages claim was issued setting out all the usual causes of action and seeking an award for distress as well as a declaration and an injunction.
The court gave the claim short shrift and in granting summary judgment to the defendant made some helpful general findings:
- A claim cannot succeed where any possible loss or distress is not made out or is trivial.
- The suggestion that the breach caused significant distress was ‘frankly inherently implausible’.
- No person of ordinary reasonable fortitude would reasonably suffer the distress claimed.
- Per Lloyd v Google  EWCA Civ 1599, as a “one-off data breach that was quickly remedied” it did not meet the threshold of seriousness test.
The Master also appears to have accepted the defendant’s argument that there was no real “loss of control” of personal data and that “loss of control” means something more than a third party briefly having access to anodyne personal information before promptly deleting it.
This is a helpful judgment in a developing area of the law. It is suggestive of a ‘real world’ approach to claims of this type generally. Specifically, it also brings coherence and reality to the legal principles of “de minimis” and “loss of control” in the context of low-level data breach claims.
If there is anything you want to discuss or if you require any further assistance relating to the issues raised, please contact our data protection and GDPR team.