DAC Beachcroft’s Cyber & Data Risk team succeeds in ground-breaking High Court decision, significantly reducing costs in low-value data breach claims

Published 18 November 2021

On 17 November 2021, Master Thornett handed down his Judgment in Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB ). DAC Beachcroft’s Cyber & Data Risk team and Ben Hamer of 5RB acted for Eastlight Community Homes Ltd (“Eastlight”).

Despite an initial impression of sophistry, Master Thornett observed that the claim included overlapping and often inadequately pleaded causes of action, and the processing of the claim in the High Court’s Media and Communications List constituted a form of procedural abuse by the Claimant law firm, Pure Legal Limited (now in administration).

Master Thornett struck out the entirety of the claim, save for the GDPR claim and confirmed that the case had all the hallmarks of a Small Claims Track claim.

The consequences of the decision are significant. An ATE insurance premium could only have been recovered in the misuse of private information and breach of confidence claims, which were struck out. The Court’s opinion was that there was no basis for the claim to have been issued in the High Court’s Media and Communications List and that the claim ought to be allocated to the Small Claims Track (ultimately a decision for the County Court). This means that the Claimant will only be able to recover the very limited fixed costs provided in that track for the whole claim. Here, the Claimant had incurred £15,000 as at the date of the Hearing and had submitted an estimated budget in excess of £50,000 if the claim was permitted to proceed in the High Court. The estimated costs were many times more than the claim value, which the Claimant had capped at £3,000.

This case will therefore have significant ramifications for how low-value data breach claims should be brought: they may still be brought but should be simplified and within the cost controlled environment of the Small Claims Track of the County Court.

Facts

The facts were simple, as was the claim. The Defendant mistakenly sent a compilation of rent statements relating to a number of its customers to a third party by e-mail. The third party, the sole recipient of the e-mail, immediately notified the Defendant of the error by telephone and after a request was made by the Defendant, confirmed that it had been deleted within 3 hours.

The Claimant’s personal information was included in the compilation appearing at pages 880 – 882 of a 6,941 pages document. It was inferred by the Defendant that it was highly unlikely that the third party had read the Claimant’s information at all.

On 15 March 2021, the Claimant issued proceedings in the High Court’s Media and Communications List seeking damages capped at £3,000. The Claimant sought damages for the misuse of private information, breach of confidence, negligence, breach of Article 8 ECHR, as well as damages pursuant to Article 82 GDPR and damages under the Data Protection Act 2018. The Claimant also sought injunctive relief to prevent the recurrence of the breach and declaratory relief stating that the Defendant had breached the principles enshrined in the legislation.

The Defendant admitted a purely technical breach of Article 5(1) of the GDPR and applied to the Court for the claim to be struck out. The Defendant contended that the Claimant had suffered no loss or damage above the de minimis threshold and even if damage were to be found above the de minimis threshold, the “game [was] not worth the candle” and so should be struck out under the Jameel principle.

Judgment

The inconsistency in the Claimant’s case was observed by Master Thornett. The Claimant claimed to be concerned about the disclosure of her address but acknowledged that the chances of her former partner receiving the information were extremely low. The Claimant had also made no steps to apply to withhold her personal address from the very claim that she was bringing.

The Claimant abandoned the negligence claim during the application hearing. Master Thornett then struck out all claims save for the GDPR claim on the basis that they were collateral to the GDPR claim and were likely to obstruct the just disposal of the proceedings and take up disproportionate and unreasonable Court time and costs.

Master Thornett was mindful that the Court should strive to provide a remedy to any litigant it can, and therefore the GDPR claim was left to survive. Master Thornett was clear, however, to direct the remainder of the claim to the more appropriate forum, the County Court. In doing so, he added that the case had ”all the hallmarks of a Small Claims Track claim that should have been issued in the County Court and so allocated”.

Crucially, the Claimant’s suggestion that the data breach claim was brought in “a developing area of law or where, even if principle is established, requires elaborate and complex legal argument” was dismissed as “unrealistic if not, at least arguably, opportunistic”.

Master Thornett was clear that such cases could be found daily in virtually every County Court and the “lure of adopting a more elaborate and more expensive approach just because the subject matter can so permit is simply unacceptable”.

Furthermore, Master Thornett dispensed with the suggestion that it was necessary to consider the Defendant’s organisational and internal procedures, given a breach had been admitted. Such evidence could never increase or aggravate her subjective distress or perception of loss. Master Thornett observed that such an argument seemed only to ambitiously inflate any realistic value the claim has and was intended to justify track allocation.

In addition to Master Thornett agreeing that the presentation of the claim met the relevant criteria for the County Court, he referred to the Claimant’s costs filed in the Precedent H which were in excess of £50,000. The Master was concerned at the level of the Claimant’s costs and added that such a high level of costs “prompted the Defendant to challenge what this case is really all about, whether it has any value at all, and even if so, why the Claimant has issued and seeks to proceed procedurally in the way she has”. Master Thornett’s views were welcomed by the Defendant as the Claimant had incurred £15,000 as at the date of the hearing, in a claim capped at £3,000.

In one final compelling comment, Master Thornett directed that no “serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of significant adverse Costs Order following High Court litigation if unsuccessful, for a damages claim less than £3,000.” In the damning Judgment, Master Thornett noted that the presentation and processing of the case in the forum that it had been submitted constituted a “form of procedural abuse”.

Whilst it was not material to the decision, the Claimant had submitted that the de minimis and Jameel principles ought not to apply to GDPR claims, submitting that the GDPR had direct effect and so superseded any inconsistent provisions in the common law and other statutes. The Claimant sought to distinguish Lloyd v Google [2020] Q.B. 747 (in that this judgment had said that damages ought not to be recovered for a one-off data breach that was quickly remedied) as concerning claims under the Data Protection Act 1998 when the GDPR was not in force.

Master Thornett was not persuaded. The common law de minimis and Jameel principles were not inconsistent with the GDPR.

Outcome

The consequences of this decision for low-value data breach claims are stark; the judgment significantly clarifies this area of law for organisations and insurers facing low-value data breach claims.

First, the High Court has given a clear decision that breach of confidence, misuse of private information and other causes of actions that are advanced in low-value data breach claims are simply collateral to a GDPR claim, are likely to obstruct the just disposal of proceedings, and take up a disproportionate and unreasonable amount of Court time and costs. Contrary to how such claims are often presented, such claims are not presented in “a developing area of law or where, even if principle is established, requires elaborate and complex legal argument”. The High Court has seen through the tactics of sophistry that are advanced for the purposes of escalating costs or inflating complexity.

With the significant simplification of such claims to a GDPR claim only, the High Court’s direction is that claims such as these ought to be allocated to the Small Claims Track in the County Court. The fixed costs regime of the Small Claims Track ought to, therefore, apply to any similar data breach claim. As a reminder, on the Small Claims Track, parties are expected to bear their own costs, even if they pursue a successful claim.

Furthermore, in the absence of any misuse of private information or breach of confidence claim, the action can no longer be presented as “publication and privacy proceedings” thereby preventing any possible recovery of ATE premium purchased by the Claimant. Whilst there had already been judicial movement towards this position in cyber security breach claims (see Warren –v- DSG Retail Ltd [2021] EWHC 2168 (QB)) this decision curtails to any low-value breach claim whether it was by cyber criminals or by accident.

This decision, therefore, drastically reduces the cost exposure faced by defendants in low-value data breach claims. At the same time, it still preserves access to justice and the right for claimants to pursue a remedy from the Court, albeit within the confines of the Small Claims Track. Organisations and insurers facing similar low value claims will welcome the positive outcome in Eastlight.

For further information in relation to this decision or enquire about our award winning cyber & data practice, please contact Hans Allnutt, Astrid Hardy or Millie Bailey who advised Eastlight in this claim.

If you are interested in finding out more about data breaches, we will be holding our annual Data Protection & Cyber Conference on 6 December 2021. For those who are yet to register for the event, please click here.