Robert Bond considers some recent decisions in data breach claims citing the loss of control of personal information.
Organisations in the USA are well used to class action litigation following data breaches where sizeable out of court settlements are reached. Typically, financial loss and other harm must be shown, although there is a trend towards harm also being demonstrated from loss of control of personal information.
It seems that the courts in the UK and in the EU are rejecting emotional distress claims if the distress cannot be shown to be significant. In other words, losing sleep worrying about where your personal information has gone does not wash.
Johnson v Eastlight Community Homes  EWHC 3069 (QB)
Here, the Master of the Queen’s Bench Division labelled a bid to bring a data breach claim in the High Court where the ‘very modest’ damages would be dwarfed by costs of £50,000 as ‘a form of procedural abuse’. Emma Louise Johnson sued Eastlight Community Homes, a provider of low-cost social housing, after her name, email address and recent rent payments were accidentally disclosed to another tenant. Her details appeared on three pages of a document that was nearly 7,000 pages long and the breach was remedied in less than three hours. Eastlight informed Ms Johnson about the error and that the recipient had deleted the information. They also reported the matter to the Information Commissioner’s Office (ICO), which took no further action. Ms Johnson nonetheless instructed solicitors and her claim was transferred to the small claims track after the court narrowly decided against simply striking it out. Master Thornett said the request for an injunction and a declaration alongside damages was ‘merely an attempt to add credibility to the claim and to convey a greater impression of its importance’.
Rolfe & Ors v Veale Wasborough Vizards LLP  EWHC 2809 (QB)
In another case the High Court found that claimants must show damage or distress over a de minimis threshold to succeed in a claim for compensation. Moreover, costs were awarded against the claimants as the court found their claims that they had ‘lost sleep worrying about the possible consequences’ over a disclosure of their personal data, and that the disclosure “had made them feel ill” and that they were suffering “fear of the unknown” were exaggerated and lacked credible evidence.
NederWoon Verhuurmakelaars (ECLI:NL: RBGEL: 2021:1888)
In a case in the Netherlands in 2021, as reported by Pinsent Masons, a court rejected claims for damages lodged against property platform NederWoon Verhuurmakelaars.
Lawyers acting on behalf of an anonymous house hunter raised the claims for damages. The house hunter had been notified by NederWoon that their data may have been compromised following a hack on its computer systems in May 2019. The hacker was subsequently convicted of a computer hacking offence following a criminal investigation.
The claimant lawyers asked Gelderland district court to find NederWoon responsible for a breach of the right to privacy and the right to protection of personal data and/or failings in relation to rules on data processing and data security under the GDPR. They also asked that Nederwoon pay the house hunter €500 in damages or an alternative amount of compensation for the alleged damage suffered – the value of which would have been determined in separate proceedings.
The court dismissed the claims and found that the claims of damage and distress allegedly experienced by the house hunter following the hacking incident had not been substantiated. The court said:
“The mere assertion that there has been talk of ‘distress’ is insufficient if no substantiation is given showing that [plaintiff] has suffered from this in concrete terms or how this ‘distress’ has manifested itself with him.”
“Other than in the examples from case law mentioned by [plaintiff] in which compensation for immaterial damage has been awarded, it has not been shown that actual abuse was made of the data involved in the hack. On the contrary, it appears from the criminal judgment, as NederWoon also argues, that the hacker had not (yet) sold or transferred the personal data to third parties, while all data carriers that were seized were withdrawn from circulation, so that there is no chance that the data will end up in the wrong hands,” it said.
Data subjects in the UK and Europe are more aware of their data protection rights and coupled with claimant lawyers recognising that data protection group actions may be lucrative for them has led to claims of all shapes and sizes.
Lloyd v Google  UKSC 50
Another significant data protection-related judgment was recently handed down by the UK Supreme Court in Lloyd v Google  UKSC 50 whereby Mr Lloyd wished to bring a representative (opt-out) action on behalf of several million iPhone users on whose iPhones Google had placed cookies which tracked their data, allegedly without their consent. In a representative action it is necessary for all potential claimants to have ‘the same interest’ in the claim and so Mr Lloyd’s proposed claim was limited to damages only for ‘loss of control’ of personal data, rather than financial loss or mental distress which may of course have been different among the class of potential claimants.
The headline points of the decision are as follows:
- The court unanimously allowed Google’s appeal, finding that for a claimant to obtain compensation for a breach of the Data Protection Act 1998 they must be able to show that they have suffered material damage (for example, financial loss) or mental distress.
- The court therefore rejected Mr Lloyd’s argument that compensation could be awarded for the mere ‘loss of control’ of personal data. In other words, the unlawful processing of personal data does not in of itself amount to a form of damage.
- The court also said that for a claimant to recover compensation it was necessary to look at the individual circumstances of each potential claimant in terms of the impact of the unlawful processing.
- On that basis, the court found that it was unsustainable for the claim to proceed without evidence of damage or distress, and therefore the claim had no reasonable prospect of success. The court therefore found that the claimant’s application to serve the proceedings on Google outside the jurisdiction was rightly rejected by the first instance judge.
This judgment is positive news for data controllers and will likely make it much harder for claimant law firms and litigation funders to put together representative actions following data breaches or other infringements. There would be a significant costs burden in establishing that there were applicable damages suffered across a group of claimants, therefore making the economics of such representative actions potentially non-viable. As several other current representative actions were put on hold pending the outcome of this case, the judgment will likely have an immediate practical impact for several organisations which have suffered data breaches in recent years.
The judgment related to the position under the old UK Data Protection 1998 rather than to the GDPR, and so the possibility remains that claimant law firms will seek to distinguish any claims made under the GDPR from the findings of the court. However, given that the judgment required an assessment of the extent of the unlawful processing for each individual claimant, the practical economic challenges of bringing an action of this nature are likely to remain.