Frequently a claim arising out of a potential data breach is accompanied by parallel claims alleging that there has also been a Misuse of Private Information (MPI) or a Breach of Confidence (BOC). However, the three causes of action should not be seen as synonymous and a recent High Court decision of Saini J, highlights the dangers of not paying sufficient care to the constituent elements of these distinct causes of action.
Darren Lee Warren v DSG Retail Limited  EWHC 2168
DSG is a retailer that operates the “Currys PC World” and “Dixons Travel” brands. Between 2 July 2017 and 25 April 2018 DSG was the victim of a complex cyber-attack that infiltrated their systems. During the course of the attack, the hackers accessed the personal data of many of DSG’s customers.
The Information Commissioner investigated the circumstances of the attack and found that DSG had breached the seventh data protection principle (DPP7) that requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”.
The Claimant had been a customer of DSG and claimed that following the attack, his personal data had been compromised. He consequently brought an action against DSG relying on BOC, MPI, a breach of the Data Protection Act 1998 (DPA) and common law negligence.
DSG applied for summary judgment and/or to strike out each claim save for that part that alleged a breach of DPP7.
The Claims for BOC and MPI
While the Claimant conceded that the BOC claim was untenable, Saini J nonetheless considered the BOC claim as part of his analysis.
The Claimant did not allege any positive conduct on the part of DSG and there was certainly no suggestion that DSG had purposefully facilitated the cyber-attack. Rather the Claimant’s case was that DSG had failed to provide sufficient security for the Claimant’s data. At §22 Saini J held:
“In my judgment, neither BOC nor MPI impose a data security duty on holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.”
That conclusion was supported, in the Court’s view, by “an array of authority” relating to BOC that made clear that the cause of action was concerned with the active disclosure or other use of confidential information.
In a similar way, it was no use for a Claimant to frame a case as MPI. While “misuse” can encompass an unintentional use the tort still required a “use”, i.e. a positive action:
“In the language of Article 8 ECHR (the basis for the MPI tort), there must be an ‘interference’ by the defendant, which falls to be justified. I have not overlooked the Claimant’s argument that the conduct of DSG was “tantamount to publication”. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterising my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.”
The Court concluded that “…I accept DSG’s submission that the Claimant’s claims in BoC and MPI are ill-founded. Those causes of action do not impose a data security duty upon DSG but that is what in reality is being claimed. They have no realistic prospect of success and also fall to be struck out based on the pleaded case.”
The Claim in Negligence
The Claimant’s allegations of negligence also failed on the basis of two fatal problems.
First, in Smeaton v Equifax Ltd  2 All ER 959 the Court of Appeal held that there is neither the need nor the warrant to impose a duty of care where the statutory duties under the DPA 1998 operate. Mr Justice Saini went on to note, inter alia, that:
- Imposing a duty owed generally to those affected by a data breach would potentially give rise to an indeterminate liability to an indetermined class;
- Doing so would be otiose, given the obligations imposed by the DPA. It is notable that the Claimant’s particulars (§§15.1.1 – 15.1.4) simply apply the alleged DPA breaches as particulars of alleged negligence. There is nothing added; and
- In my judgment, there is no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime for determining the liability of data controllers. That regime provides for relief of precisely the same nature as is claimed in negligence in this claim.
Adopting conventional principles, the Court found no duty of care to exist; proximity was not created by the customer relationship and it would not be fair, just or reasonable to impose a duty.
Even if that analysis was wrong, which respectfully I would suggest it was not, the negligence claim also had to fail because of the nature of the loss claimed. The Claimant sought damages for distress and anxiety. While that is sufficient to base a claim for compensation under the DPA, it was not sufficient to complete the tort of negligence: “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”.
For those two reasons, the Claimant’s claim in negligence was also struck out.
The judgment is a welcome analysis of the proper scope of MPI and BOC and demonstrates the dangers of conflating alleged breaches of DPA with causes of action aimed at the protection of privacy or information from unwarranted disclosure.
The judgment also has potentially important costs implications for Defendants. Section 44 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (LASPO), had the effect of preventing the recovery of success fees in most civil litigation.
However, an exemption was made in LAPSO’s commencement order “(Commencement No. 5 and Saving Provision) Order 2013, SI/2013/77) for “publication and privacy proceedings”. These proceedings were defined as ‘proceedings for (a) defamation, (b) malicious falsehood; (c) breach of confidence involving publication to the general public (d) misuse of private information or (e) harassment, where the defendant is a news publisher’.
The consequence of this was that claimants could still recover CFA success fees in claims for MPI. Whilst that exemption was abolished for CFAs entered into after April 2019, there are still plenty of Pre-April 2019 CFAs that are to come before the Courts where a claimant has a claim for MPI running alongside a conventional DPA claim.
Given the potential costs exposure success fees bring, Defendants should think seriously about the potential for striking out the MPI elements of such claims. Warren v DSG affords some welcome arguments in support of such applications.