English High Court Confirms Narrow Approach to Assessment of Data Breach Liability
In Short
The Development: Recent High Court caselaw suggests a more restrictive approach to the treatment of damages claims in relation to data breaches (including pursuant to the UK General Data Protection Regulation ("UK GDPR")), which will be welcomed by UK data controllers and processors. However, the growth of specialist data breach law firms means that further attempts to broaden access to damages are inevitable.
The Background: The UK Supreme Court's ("UKSC") decision in Lloyd v Google determined that damages claims under the Data Protection Act 2018 require evidence of pecuniary loss and distress, and will not be awarded for mere loss of control of personal data. A recent English High Court decision has adopted the same approach to claims brought under the UK GDPR. This is the latest of several recent decisions which affect the viability of mass data breach compensation claims.
Looking Ahead: The correct approach to the interpretation of Article 82 of the GDPR has been referred to the European Court of Justice ("CJEU") by an Austrian court, and a similar referral may shortly follow from the German courts, which may significantly affect the approach both in the European Union, and the UK.
On 31 January 2022, the English High Court delivered its judgment in Stadler v Currys Group Limited (EWHC 160 (QB)); the latest in a series of rulings which appear set to constrain the relatively nascent UK data breach claims industry.
Prior to the decision in Stadler, in November 2021, the UKSC delivered a unanimous judgment rejecting attempts by an individual data subject to bring a "representative claim" (i.e. a US-style "opt out" class action), on the basis that damages are not to be awarded for a mere loss of control of personal data, absent evidence of pecuniary loss and distress (Lloyd v Google LLC [2021] UKSC 50). The claimant in that case could not satisfy the "same interest" test required for a representative action to proceed, as he had not presented evidence of the harm suffered by each individual claimant within the group he purported to represent.
The decision in Lloyd was made pursuant to the superseded Data Protection Act 1998, and while it was assumed that the same approach would be adopted under the UK GDPR, that question has not, until now, been the subject of judicial consideration.
Stadler, albeit not a representative action, concerned an application to strike out a claim for damages (including pursuant to Article 82 UK GDPR) by a claimant who had returned a defective television to a retailer without having logged out of the Amazon Prime app; the claimant's account details were used to purchase a movie for £3.49. Although the retailer refunded the purchase price and made an ex gratia payment of £200, the customer sued for damages. The retailer applied to strike out the claims at a preliminary stage.
The High Court applied the Lloyd analysis to the claims, and reiterated that proof of damage or distress would be required for such claims to succeed. Although the claimant's claim under UK GDPR was not struck out and allowed to proceed, it was transferred to the "small claims" court due to its low value, meaning that, in the ordinary course, legal fees would not be recoverable under costs-shifting rules. The Court also struck out the claimant's concurrent claims for (i) misuse of private information and breach of confidence, on the basis that it would be "artificial" to characterise the disposal of a defective device which held information as a "misuse" of that information; and (ii) negligence because the claimant's pecuniary loss had been fully compensated.
This indication that claimants pursuant to Article 82 UK GDPR will be required to demonstrate loss will be welcomed by data controllers, and appears to confirm the more limited role that representative actions are likely to play in data breach claims. The decision in Stadler is also consistent with other recent English High Court decisions which have resisted attempts to establish a compensatory regime for "mere" data breaches without evidence of harm. By way of example, in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the High Court held that a mere failure to keep data secure (in that case, in the face of hacking by unknown third parties) would not constitute "misuse" for the purposes of the tort of breach of confidence and/or misuse of private information; and that no separate tortious duty of care would be imposed in relation to control of data since a statutory regime (UK GDPR) already governed the obligations of data controllers in this respect.
Collectively, these cases are likely to make data breach claims far more time-consuming and expensive to bring, and less viable to fund.
It should be noted that a CJEU referral was made by the Austrian Supreme Court in May 2021 to clarify the scope and operation of Article 82 GDPR, including specifically as to whether the award of compensation under Article 82 GDPR also requires, in addition to an infringement of GDPR provisions, that a claimant must have suffered harm, or whether the infringement of provisions of the GDPR in itself is sufficient for the award of compensation (Referral C-300/21 (Österreichische Post, 12 May 2021)). A similar referral may follow from a January 2021 decision of the German Federal Constitutional Court, which overturned a first-instance judgment which dismissed a claim under Article 82 without making a clarificatory CJEU reference (German Federal Constitutional Court, Decision (Beschluss) dated January 14, 2021, 1 BvR 2853/19). Considering the past decisions of the CJEU in data protection matters, it would not come as a surprise if the European Court adopted a relatively claimant-friendly approach on the interpretation of Article 82.
While in a post-Brexit world, the European Court's ruling would not be binding in England and Wales, all domestic courts are still permitted to have regard to post-exit CJEU rulings when construing retained EU law (under Article 6(3) of the European Union (Withdrawal) Act 2018). These referrals will therefore be followed with interest in the United Kingdom as well as within the EU.
Three Key Takeaways
- After a period of apparent easing of the procedural and evidentiary requirements for mass data breach claims, the English courts appear to have raised the bar again. This may hamper the growth of specialist mass data breach law firms in the UK.
- CJEU rulings expected in late 2022 or early 2023 may signal a different approach within the EU, with many expecting the European Court to rule that mere data breach could attract compensation without proof of specific loss. If that occurs, it remains to be seen whether the English Courts will be influenced to follow that direction, or whether the UK and EU will follow divergent paths on this issue.
- Developments over the coming 12 months will be followed closely both by data controllers/processors, and those law firms that have a focus on supporting mass data breach claims.