Another blow for data group claims
The difficulties in proving damage
Another blow for data group claims: the difficulties in proving damage
In Farley -v- Equiniti [2024] EWHC 383 (KB), the court considered whether putting personal information/data “at risk” or “in danger” was sufficient to found a claim for breach of data protection legislation and/or misuse of private information.
Background
In late August 2019, the Defendant, the administrator of the Sussex Police pension scheme, sent to each member of the scheme an annual pension benefit statement (ABS). Unfortunately, the ABSs were sent to out-of-date addresses. Data included within the ABS for each member varied but, generally, comprised the name, date of birth, national insurance number, salary and pension information.
The claim
On 22 April 2021, 474 former or current police offers issued proceedings seeking damages for breach of the General Data Protection Regulation (GDPR) and/or Data Protection Act 2018 (DPA) and/or misuse of private information. In the main, the claims were based on non-material damages for anxiety, alarm, distress, embarrassment and loss of control over their data. Further claims were brought for, amongst other things, personal injury.
On 17 October 2022, the Defendant issued an application seeking to strike out the Claimants’ claims and/or for summary judgment on multiple grounds including that any damage or distress suffered by the Claimants was de minimis (ie not serious enough) and the claims constituted an abuse of process. By the time of the hearing, the damages sought by each of the Claimants were modest in the region of £1,250 to £1,500.
A key question for the court was the damage caused by the posting of a letter containing personal information/data to a third party. The Claimants had positive evidence that the ABS was opened in only 14 cases, and in 11 of those instances the letter were opened by a family member. In only 2 out of 450 cases were the letters opened by someone other than a family member or colleague of the police officer. In the cases in which the letters had not been returned, the Claimant relied upon an inference that the ABS had been opened and read by a third party.
Findings
All but 14 of the claims were struck out.
In order to have a viable claim for misuse of private information and/or data protection, each Claimant was required to show that they had a real prospect of demonstrating that the ABS was opened and read by third party. Absent that, the Claimants had “no real prospect of demonstrating that there had been “misuse””, an essential element of the tort of misuse of private information”.
In the instances where there was evidence that the letter had not been opened by a third party, a danger or risk to personal data did not give grounds for a data protection claim. To be entitled to a remedy, a claimant must demonstrate that they are the victim of a wrong; “A near miss, even if it causes significant distress, is not sufficient”.
The data protection claim was essentially a claim for unlawful processing by sending the ABS to the wrong address. However, if the ABS was not opened then there was no real processing; again, it was a near miss.
Therefore, the claims in which the ABS was returned unopened failed to disclose reasonable grounds for bringing a claim for misuse of private information and/or data protection and were struck out (or, alternatively, were summarily dismissed as showing no real prospect of success).
Even when the ABS had not been returned unopened, unless the Claimant could plead a viable case that their ABS was actually opened and read by a third party, the Claimant had no real prospect of success and the claim would be struck out and/or dismissed. Absent some facts that would compel a different conclusion, the Court will not draw the inference that a letter addressed to a named recipient, clearly marked “private and confidential”, will be opened by a third party who is not the named recipient or authorised by him/her to open correspondence addressed to named recipient.
In the 14 claims in which the Claimants had provided evidence that the ABS had been opened, the cases were “very far from being serious”; some may ultimately be found to be trivial and fall to be dismissed on the basis that they fail to surmount the threshold of seriousness. Those Claimants had yet to produce evidence that the letters were read (and, if read, to what extent), rather than just the envelope opened.
Further, some aspects of the Claimants’ claims for loss and damage were “hopeless” and “exaggerated”. For example, one Claimant expressed fears that the information might be used to identify and target him, his family or his current home when the envelope had been opened by his father only; such was “completely unreal”.
Costs and court allocation
The claim was issued in the Media and Communications List of the High Court of Justice. It is worth noting that by the time of issue of the claim, the Claimants’ pre-action costs were around £1.2M, or £2,500 per Claimant.
The Claimants’ estimated costs to trial were £2.549M and, in addition, the Claimants sought to recover an ATE insurance premium incurred in respect of the misuse of private information claims. The Defendant’s estimated costs to trial were £2.7M.
The court noted that the costs of the Claimants were well in excess of the average damages claim per Claimant.
On allocation, the view of the judge was that, had the Defendant admitted liability, it would be appropriate to transfer the remaining 14 cases to the County Court to be allocated to the small claims track. Only very limited costs are recoverable in the small claims. In light of the Defendant’s denial of liability (the Defendant argued it was a processor, not a controller, of the personal data), it may be convenient to deal with a liability in the High Court as a preliminary issue and the claim could then be transferred to the County Court for an assessment of damages.
Comment
Potential claimants must consider carefully the extent to which they can prove damage caused by a data breach or misuse of information; it is not sufficient to make a bare assertion, especially one that does not tie into the facts of the case.
The decision on misdirected mail may be specific to the facts of this case; does it also apply to misdirected digital communications? Digital data, including meta data, may be extremely important in demonstrating the treatment of an email by a third party.
The judge appeared critical of costs incurred in this case, which may be considered disproportionate to the value of the claims. Had all 474 claimants continued the claims (some were discontinued), the total damages sought would have been up to £711,000 and yet the combined costs of the parties were estimated to be £5.2M excluding the ATE premium. The referral of these types of claims to the small claims court, where only very limited costs are recoverable, is in line with previous decisions of this judge and may prove to be a deterrent to many potential claimants.