High Court throws out ‘trivial’ data leak claim
In Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) Master McCloud granted the Defendant's application for summary judgment on the basis that there was no credible case that a data leak had caused distress or damage above a de minimis threshold.
The facts of the case are straightforward. The Defendant firm of solicitors sent a Letter of Claim in respect of unpaid school fees. It was intended to go to the Claimants, but in fact was emailed to an individual with a similar name. The recipient replied indicating that they had received the letter in error and had deleted it.
The Claimants sued for damages for 'misuse of confidential information' (presumably misuse of private information'), breach of confidence, negligence, damages under section 82 of the GDPR and section 169 Data Protection Act 2013, plus a declaration, injunction, interest, and further or other relief.
Summary judgment application
The Defendant relied heavily on the Court of Appeal's decision in Lloyd v Google LLC  EWCA Civ 1599, in which Sir Geoffrey Vos's said:"...the threshold of seriousness applied to section 13 [of the Data Protection Act 1998] as much as to [misuse of private information]. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied."
The Defendant advanced the following submissions, which are worth setting out in full, as they were adopted by the Judge:-
"On the facts, the Cs cannot have suffered damage or distress above a de minimis level. The court must look at the reality of the personal information in question and the circumstances in which it was inadvertently sent to one third party:
a. The nature of the private information in question:
i. This is not a case where intimate information about health or a sexual relationship are in play. Names and home address are given, but no further details of home life, no phone numbers are included. There are no bank details or details of the state of the Cs finances.
ii. The only financial details are the invoice for school fees (the level of fees being publicly available on the school's website), and the statement of account of school fees for the past 5 years – i.e. the amounts C1 and C2 had paid for C3's schooling. These are 25 pages into the attachments. There are documents asking for other financial information, but these are blank and contain no personal data. Whilst the letter states that C1 and C2 have not paid one term's bill, it gives no information as to why that it. Is does not say they cannot do so, or anything about their financial position. It states the mere fact of non-payment of this bill, and that if payment is not made, legal action may result.
iii. Whilst Cs assert that there is data relating to C3's location and transport, the only reference to transport is a fee for it– not giving any details of what this transport is or where this transport takes place, contrary to the assertion at para. 9c POC. Therefore the only location data is the school and the Cs' home address."
b. The circumstances of disclosure:
i. The information was disclosed to one individual only, accidentally as a result of a typographical error;
ii. The individual notified D of the error the same day. The next day, when asked to delete the email and confirm that had been done, the individual did so did so 2½ hours later. There is no reason to think that they did not act in good faith, or even that they read all of the documents in any detail.
iii. The email was encrypted;
iv. That the email went through Gmail servers is irrelevant to the claim, as C1 and C2 have Gmail accounts themselves, and therefore the email, when sent properly, went through this same system.
c. No tangible harm or loss is pleaded or plausible:
i. The (unpleaded) inference in the witness statement of Mr Bennett that phishing phone messages were targeted at C1 and C2 because of this incident is an inference that cannot be drawn. Neither the Cs' phone numbers nor any information about who they bank with was in the email or attachments and therefore cannot have been exploited.
ii. In his witness statement Mr Bennett quotes from correspondence about the number of hours Mr Rolfe spent dealing with the incident. Firstly, there is no claim made for time spent dealing with the incident. Secondly, the number of hours claimed is wholly implausible. When this claim was made in correspondence D queried it (in particular in relation to an email referred to dated 11 August 2019 which did not deal with this matter but rather the matter of the unpaid fees asked for the correspondence between Cs and D/Moon Hall School. The specific point about the 11 August email was not responded to (but it is repeated in Mr Bennett's witness statement), but after chasing, D was sent the documents … which consist of email between 19 and 31 July 2019. … these consist of only a small number of short emails. …This amounts to 6 short emails, the longest of which is 10 lines long (including "Dear..", "Yours sincerely" etc). Whilst Cs will have read the responses, again, these were brief, none amounting to more than approx. ½ a page and most being very brief indeed. This, it is alleged, took over 24hrs (out of a total of 46hrs which it is claimed C1 spent dealing with this matter). This is simply not plausible, and must be exaggerated. It is submitted this is reflective of the Cs' attitude to the claim as a whole, and the court is entitled to take a sceptical view of their assertions of distress. It need not and should not take them at face value.
d. There was no real loss of control of the personal data: "Loss of control" means something more than one third party briefly having access to this relatively low-level personal information and then confirming they deleted it. In Lloyd it was commercial exploitation of that information on a large scale. There the Court of Appeal found that individuals' "browser generated information" had a value and was of commercial value to Google [at 46,47]. In Gulati v MGN Ltd QB 149 it was disclosure to journalists who used the personal information as they saw fit, in particular by publishing in a national newspaper. This is very different.On the facts of this case, it is simply not plausible that Cs have suffered distress above a de minimis threshold in relation to the accidental sending of this email to one recipient who quickly deleted it. Whilst unfortunate, the incident is simply not of a sufficiently serious nature to have caused damage over the threshold.[...]This was an accidental one-off incident where an email address was mistyped and sent to an incorrect recipient. The data contained in the email was not of a very private or sensitive nature. Whilst the incident is unfortunate, it was swiftly remedied – the recipient emailed the same day to say they were the wrong recipient, and quickly confirmed deletion. Incidents such as this occur regularly in organisations throughout the country. Where no harm is caused, or no harm that overcomes the de minimis threshold, no cause of action lies and no claim for compensation will succeed. If it were not so, the court would be bound up with such cases, every time a minor error occurred. This is a case of no harm done. Exactly the type of case Sir Geoffrey Vos was referring to in Lloyd. The C's have no realistic prospect of proving that they have suffered harm above de minimis, and therefore no realistic prospect of succeeding in their claim for damages"
Claimants ordered to pay indemnity costs
After granting the application for summary judgment for the Defendant, Master McCloud ordered the Claimants to pay the Defendant's costs on an indemnity basis. Reliance was placed on the fact that the claim had found to be exaggerated and speculative - given any damage was de minimis. Moreover, the Defendant had made a Part 36 Offer to pay the Claimants compensation (which they no doubt now deeply regret not accepting).
Time for making an application for permission to appeal was extended to 21 days beyond the handing down of the Supreme Court's decision in an appeal of Lloyd (this was heard in April 2021 and, at the time of writing, the judgment is extant).
It may well be that there is some judicial irritation at the number of 'data leak' claims brought over accidental/minor data breaches, where the claims appear to be cynical and opportunistic. Master McCloud emphasised the point that "whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown". Self-evidently, precious judicial resources should not be wasted on such claims and defendants should not feel held to ransom. In this regard, an award of indemnity costs sends a clear message to those seeking to capitalise on an honest and minor mistake.
Whilst this particular claim may not have been meritorious, accidental data leaks are a fact of life and in certain cases can cause significant distress (and even financial loss) - one example is disclosing that an individual is HIV positive. In these circumstances, it often makes little difference to the subject whether the breach was deliberate or accidental and the Court should compensate an individual accordingly. Limited publication may also be irrelevant. As with libel, serious damage may also arise where the disclosure is to a limited number of publishees, particularly if they are significant parties in the subject's life.
Turning to Rolfe and the question of whether the information was sufficiently private, it seems that information suggesting that a family is behind on school fees to the extent that they are being pursued by solicitors will be considered by many to be sensitive and, indeed, quite private (although this in itself would not have been sufficient to defeat the summary judgment application).
Finally, there is the question of whether 'losing control' over private information should be sufficient for a data protection or privacy claim to succeed regardless of whether distress was suffered (pausing here, the finding that there was no 'real' loss of control in Rolfe seems, at least, debatable). At the moment, the answer is no. However, the Supreme Court could reach an entirely different view. Unfortunately, that will not necessarily be the end of the matter. Lloyd concerns the Data Protection Act 1998, rather than the prevailing UK GDPR.
Articles are intended as an introduction to the topic and do not constitute legal advice.