The High Court in Emma Louise Johnson v Eastlight Community Homes Ltd1 declined to strike-out a claim for damages for distress following an isolated one-off data incident which was quickly remedied. In doing so, however, the Court:
- confirmed that the de minimis concept is equally applicable to claims under the General Data Protection Regulation 2016/679 (“GDPR”) and Data Protection Act 2018 (“DPA 2018”), as it was to claims under the Data Protection Act 1998 (“DPA 98”);
- held that a claim for injunctive and declaratory relief in circumstances such as those present in this case was misconceived; and
- offered further welcome dicta on the appropriate forum for the issuance of such claims, transferring the claim to the County Court, and criticising the claimant firm’s conduct.
On 1 September 2020, one of the Defendant's employees sent an email to one of their customers, inadvertently attaching a compilation of rent statements of other customers, which included the Claimant. The attachment was 6,941 pages long and, at pages 880-882, were the Claimant's name, address, and recent rent payments made to the Defendant. The sole recipient of the e-mail immediately notified the Defendant of the error by phone and was asked to delete it, which they did. The inadvertent disclosure, to a single person, lasted less than three hours.
Notification to the Claimant
The Defendant e-mailed the Claimant on 20 September 2020 to inform her of the incident, the fact that the recipient had deleted the information, and that the Defendant had reported the incident to the Information Commissioner's Office (“ICO”) (whilst not accepting the necessity to report it2 ). The ICO subsequently confirmed that no enforcement action would be taken.
On 15 March 2021, proceedings were issued by the Claimant in the High Court, seeking damages limited to GBP3,000, for Misuse of Private Information, Breach of Confidence, Negligence, breach of Article 8 of the European Convention on Human Rights, as well as pursuant to Article 82 GDPR, and to section 169 of the DPA 2018. The Claimant also sought injunctive relief to prevent the recurrence of this type of breach, and declaratory relief stating that the Defendant had breached the principles enshrined in the abovementioned legislation.
Application for strike-out/summary judgment
The Defendant applied for (a) summary judgment on the whole claim under the de minimis principle3 ; (b) to strike out of the whole claim under CPR 3.4(2)(b)4 under the Jameel5 jurisdiction; and (c) to strike out the claim in negligence under CPR 3.4(2)(a)6.
The claim in negligence was discontinued by the Claimant at the hearing of the Defendant’s application and is not considered further in this article7.
The de minimis threshold and Jameel
De minimis threshold
The de minimis principle developed through common law and confirms that whilst damages can, in principle, be recovered and other remedies obtained for breaches of data protection law and common law privacy torts, including simply for the distress caused8, any distress must not be trivial in nature9.
Jameel was a defamation case in which the court held that as the damage caused in that case was minimal, and the costs of obtaining it would be disproportionate and to the detriment of the wider public in terms of court resources, "the game is not worth the candle", and the claim was struck out. Jameel is authority for the position that any such claim is an abuse of process and should therefore be struck out.
The Claimant’s position and evidence of distress
The Claimant’s position was that:
- Jameel only applied to non-statutory torts (i.e. not to a claim under the GDPR/DPA 2018);
- the GDPR had direct effect and therefore supersedes inconsistent provisions in the common law such as the de minimis principle, and other statutes; and
- the de minimis threshold had in any event, been crossed.
Court’s view of the compromised data
The compromised data was considered by the Master to be “simply routine” and “not of an obviously sensitive nature”. The Master concluded that:
- the Claimant's election to issue her claim in a publicly identifiable form far eclipsed the disclosure by the Defendant; and
- the Claimant's distress “seems more in the realms of the unknown or the hypothetical than in reality,” and is “historic rather than current”.
Conclusions on the distress based claim
- The Claimant’s contention that Jameel only applied to non-statutory torts was rejected.
- The Master, having analysed the statutory provisions which entitle a data subject to damages for pecuniary or non-pecuniary loss under the DPA 9810, firmly rejected the contention that the GDPR overruled prior common law. She concluded that “nothing strikes me as distinct in the wording of Article 82(1) of the GDPR as negates continued application (if appropriate) of Jameel or de minimis principles to a damages claim brought under it”. The Master was also critical of the claims being advanced for damages pursuant to both Article 82 GDPR and Section 169 DPA 2018 – the conclusion being that as both legislative provisions provide for the same relief, claims under both render one or the other otiose.
- The Claimant’s witness evidence, which included her name and address (as did the Claim Form), stated that the incident left her “stressed, worried and very anxious” as she had moved to that address to escape an abusive relationship and “had avoided making [her] new address “public” for fear of…contact with [her] former partner11”. This, she contended, meant there was a reasonable prospect in showing that loss and damage had crossed the de minimis threshold, which was a factual issue for trial and made the claim not suitable for dismissal at summary judgment stage12.
Having consider the above, the Master ultimately declined to strike-out the claim/award summary judgment in relation to the claim for distress under the GDPR/DPA 2018.
The other causes of action13
The Master held that “the test for damages on facts such as these is considered in the round, drawing upon all causes of action as relied upon. There is no separate or sequential process of assessment14”. The Master concluded that the claims collateral to the GDPR claim were likely to obstruct the just disposal of these proceedings and take up disproportionate and unreasonable court time and costs and were therefore struck out under CPR 3.4(2)(b) (alternatively CPR 3.1(2)(k) and/or (m)15). The High Court had adopted a similar position in Warren16 (which we wrote about here).
Of particular note is the Master’s criticism of the Claimant’s assertion that the value of damages cannot be predicted at this stage because the assessment of loss required a consideration of the Defendant's organisational and internal procedures (and which would potentially be an aggravating factor if these were identified as falling short of the required standard under the GDPR). That position, she held, “seems ambitiously to inflate any realistic value the claim has…[and] such matters would not only be unknown to the Claimant but more particularly could never increase or aggravate her subjective distress or perception of loss.”
Injunctive and Declaratory Relief
On the facts, the Master concluded that the claim for an injunction was misconceived and the prospect of an award of an injunction non-existent. This was because:
- an injunction is a discretionary remedy granted usually only where it is demonstrated a defendant threatens to commission further torts17 ;
- there is no evidential basis put forward to maintain that this was anything other than a one-off error; and
- there cannot realistically be suggested to exist an ongoing threat to the Claimant's personal data, such as to justify an injunction.
It was, in the Master’s view, “merely an attempt to add credibility to the claim and to convey a greater impression of its importance”. The same view was taken of the claim for declaratory relief. The claim “at best” was for “modest damages”.
The Master concluded that:
- There was no basis for having issued the claim in the High Court. The presentation and processing of this case in this forum constituted a form of procedural abuse.
- The real point in this case was whether the Claimant's entitlement is to purely nominal or extremely low damages. Mindful that the court should strive to provide a remedy to any litigant, the claim ought not to be entirely struck out but instead redirected to the more appropriate forum, the County Court.
The claim was therefore transferred out of the High Court and allocated to the small claims track.
Whilst the decision of the Master in not striking out the claim in its entirety is somewhat surprising, the conclusions drawn are reassuring and the decision is the first reported case which confirms that the Jameel and de minimis principles continue to apply to claims under Article 82 of the GDPR / DPA 2018. It also continues the recent helpful lineage of case law in the High Court following the recent cases of Warren (see here) and Rolfe18 (see here).
The Judgment is critical of claimant firms who layer multiple causes of action in what are simply claims arising from trivial data incidents: such an approach is “simply unacceptable”. The case was, according to the Master, “a Small Claim Track claim that should have been issued in the County Court and so allocated19” . The overt criticism of the level of costs both incurred and budgeted by the Claimant should both serve as a stark warning to claimant firms and offer a further beacon of hope to businesses facing such claims that they do not represent the pot of gold at the end of the claimant data breach rainbow.
The clouds have parted, and the sun is beginning to shine.