English High Court Confirms Narrow Approach to Assessment of Data Breach Liability

On 31 January 2022, the English High Court delivered its judgment in Stadler v Currys Group Limited (EWHC 160 (QB)); the latest in a series of rulings which appear set to constrain the relatively nascent UK data breach claims industry. 

Prior to the decision in Stadler, in November 2021, the UKSC delivered a unanimous judgment rejecting attempts by an individual data subject to bring a "representative claim" (i.e. a US-style "opt out" class action), on the basis that damages are not to be awarded for a mere loss of control of personal data, absent evidence of pecuniary loss and distress (Lloyd v Google LLC [2021] UKSC 50). The claimant in that case could not satisfy the "same interest" test required for a representative action to proceed, as he had not presented evidence of the harm suffered by each individual claimant within the group he purported to represent.

The decision in Lloyd was made pursuant to the superseded Data Protection Act 1998, and while it was assumed that the same approach would be adopted under the UK GDPR, that question has not, until now, been the subject of judicial consideration.

Stadler, albeit not a representative action, concerned an application to strike out a claim for damages (including pursuant to Article 82 UK GDPR) by a claimant who had returned a defective television to a retailer without having logged out of the Amazon Prime app; the claimant's account details were used to purchase a movie for £3.49. Although the retailer refunded the purchase price and made an ex gratia payment of £200, the customer sued for damages. The retailer applied to strike out the claims at a preliminary stage. 

The High Court applied the Lloyd analysis to the claims, and reiterated that proof of damage or distress would be required for such claims to succeed. Although the claimant's claim under UK GDPR was not struck out and allowed to proceed, it was transferred to the "small claims" court due to its low value, meaning that, in the ordinary course, legal fees would not be recoverable under costs-shifting rules. The Court also struck out the claimant's concurrent claims for (i) misuse of private information and breach of confidence, on the basis that it would be "artificial" to characterise the disposal of a defective device which held information as a "misuse" of that information; and (ii) negligence because the claimant's pecuniary loss had been fully compensated.

This indication that claimants pursuant to Article 82 UK GDPR will be required to demonstrate loss will be welcomed by data controllers, and appears to confirm the more limited role that representative actions are likely to play in data breach claims. The decision in Stadler is also consistent with other recent English High Court decisions which have resisted attempts to establish a compensatory regime for "mere" data breaches without evidence of harm. By way of example, in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the High Court held that a mere failure to keep data secure (in that case, in the face of hacking by unknown third parties) would not constitute "misuse" for the purposes of the tort of breach of confidence and/or misuse of private information; and that no separate tortious duty of care would be imposed in relation to control of data since a statutory regime (UK GDPR) already governed the obligations of data controllers in this respect. 

Collectively, these cases are likely to make data breach claims far more time-consuming and expensive to bring, and less viable to fund.   

It should be noted that a CJEU referral was made by the Austrian Supreme Court in May 2021 to clarify the scope and operation of Article 82 GDPR, including specifically as to whether the award of compensation under Article 82 GDPR also requires, in addition to an infringement of GDPR provisions, that a claimant must have suffered harm, or whether the infringement of provisions of the GDPR in itself is sufficient for the award of compensation (Referral C-300/21 (Österreichische Post, 12 May 2021)). A similar referral may follow from a January 2021 decision of the German Federal Constitutional Court, which overturned a first-instance judgment which dismissed a claim under Article 82 without making a clarificatory CJEU reference (German Federal Constitutional Court, Decision (Beschluss) dated January 14, 2021, 1 BvR 2853/19). Considering the past decisions of the CJEU in data protection matters, it would not come as a surprise if the European Court adopted a relatively claimant-friendly approach on the interpretation of Article 82. 

While in a post-Brexit world, the European Court's ruling would not be binding in England and Wales, all domestic courts are still permitted to have regard to post-exit CJEU rulings when construing retained EU law (under Article 6(3) of the European Union (Withdrawal) Act 2018). These referrals will therefore be followed with interest in the United Kingdom as well as within the EU.