High Court Guidance on Data Breach Claims Belonging in the Small Claims Court
In Stadler v Currys Group Limited [2022] EWHC 160 (QB) the Queen’s Bench Division of the High Court awarded summary judgment against the Claimant who had alleged distress as a consequence of the Defendant’s accidental data breach.
The defendant had sold a Smart TV to the claimant which was subsequently returned to the defendant for repair. Upon it being deemed by the defendant’s technical staff that the Smart TV was not repairable the defendant offered to write off the smart TV and compensate the claimant with a voucher. The claimant accepted the offer.
The defendant subsequently sold the Smart TV to a third party without performing a factory reset or wipe. The claimant’s log in for his Amazon app, among others, were still stored on the Smart TV and on or around 31 December 2020 someone using the claimant’s Amazon account purchased a movie for £3.49. The defendant reimbursed the claimant for the Amazon purchase and gave the claimant a £200 shopping voucher as compensation. The claimant subsequently initiated proceedings in the High Court seeking:
a) Damages (including aggravated and exemplary damages) up to £5,000 for (i) misuse of private information ("MOPI"); (ii) breach of confidence ("BoC"); (iii) negligence; and (iv) breach of data protection law, in particular pursuant to Article 82 UK-GDPR and sections 168 and 169 of the Data Protection Act 2018.
b) An injunction requiring the defendant, if it continues to process the claimant's personal data, to act in accordance with the requirements of the UK-GDPR and the Data Protection Act 2018.
c) A declaration that by processing the claimant's personal data the defendant has breached Article 5(1) of UK-GDPR.
The defendant had made an application for summary judgment and /or strike out. By the time the application came before the court both parties had agreed that should any limb of the claim survive then the case should be transferred to the county court.
The claims were struck out save for the data protection claims which the defendant had asked the court to strike out as being de minimis in value. HHJ Lewis at para 43 of Stadler v Currys found that were the data protection claims intended to remain in the High Court then there would be good reason for striking them out on Jameel grounds as “ the claim would simply not be worth the candle” but declined to strike them out as they were to be transferred to the county court where they could be allocated to the small claims track.
There have been several recent decisions along similar lines that data breach cases are minor cases with low damages likely to be ordered. The de minimis principle had previously been applied by Master McCloud in granting summary judgment for the defendant in the case Rolfe & others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB. It seems likely now that solicitors commencing Data Protection Act and associated claims in the High Court, unless they are of significant value, may well face wasted costs orders against them personally as provided for under section 51 of the Senior Courts Act 1981.
Joanna Connolly, SPG Chair