All businesses are vulnerable, to some degree, to threats of cyber-attacks which can result in personal data held by the organisation being compromised.

The evolution of data protection laws continues to tighten duties imposed on businesses to implement measures to securely handle personal data, and the consequences of a data breach are likely to be significant to an organisation.

While we can assist with ensuring you are complying with your data security obligations under GDPR, it is important that your data security measures are effective and properly protect individuals’ data.

In the recent case of Warren v DSG Retail Ltd, the High Court handed down a judgment by Mr Justice Saini in which he provided some clarification in relation to claims by individuals for data breaches. The judgment is likely to impact the way such claims are brought in the future. So, what happened in this case?

Background

The defendant, DSG Retail Ltd (“DSG”) more commonly known as the operator of Currys PC World and Dixons, had been a victim of a cyber-attack between July 2017 and April 2018 causing a data breach. Consequently, the breach was being investigated by the Information Commissioner’s Office (“ICO”).

As the breach occurred prior to the GDPR coming into force in May 2018, the ICO in its decision found that DSG had breached Principle 7 of the Data Protection Act 1998, which requires businesses to have in place appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. In addition to the finding of a data breach, the ICO also issued a monetary penalty notice of £500,000 against DSG.

The requirement to have in place appropriate technical and organisational security measures is fundamental and equivalent provision has been made for it under the GDPR in Article 5(1)(f).

The claimant, Warren, brought a claim against DSG alleging:

  • breach of confidence (“BoC”);
  • misuse of private information(“MPI”);
  • breach of statutory duty; and
  • negligence.

Warren also sought damages of £5,000.

DSG applied to the court for summary judgment or an order to strike out all of the above claims except for breach of statutory duty which arose as a result of the alleged breach of Principle 7 in accordance with the ICO’s decision.

DSG was successful in its strike out application and the judge upheld the strike out of all claims but the breach of statutory duty which has been allowed to proceed.

Reasons for permitting strike out of the claims

Breach of confidence and misuse of private information:

Saini J made clear in his judgment that in order to have a successful claim against the information holder i.e. DSG, for both breach of confidence and misuse of information, there is a requirement for there to have been a positive wrongful action by DSG relating to the information.

The Judge also further emphasised that, “neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of the information which are inconsistent with the obligation of confidence and privacy”.

While it was accepted that DSG had failed to provide adequate security for the data, it had not committed a positive wrongful act that caused the data breach but rather it was a victim of a cyber-attack. Even though the definition of ‘misuse’ includes unintentional use, the act of ‘using’ constitutes a positive act, which DSG had not done.

Negligence:

Warren’s claim of negligence was also struck out on the basis:

  • Firstly, that DSG owed no such duty of care of information security where the statutory duties under the Data Protection Act 1998 were operational; and
  • Secondly, the nature of the claimed loss i.e.  distress was insufficient. Warren would have had to show that he had suffered some harm or injury. The mere state of anxiety and distress claimed by Warren as a result of his data being compromised fell short of a clinically recognised psychiatric illness, therefore was insufficient to constitute damage.

Conclusion

The claim will proceed on the grounds of breach of statutory duty. However, for now, the claim has been stayed as DSG is appealing both the ICO’s decision and the monetary penalty notice it has been issued.

While the judgment appears to significantly narrow down the scope of claims of data breaches by data subjects, it is worth noting where a company does commit a positive wrongful act in respect of personal data and is not a victim of a cyber-attack, the data subject is likely to have a strong claim against the company.

The above is one of several claims shaping the nature of data protection claims. We eagerly anticipate judgment by the Supreme Court in a landmark data protection class action in the case of Lloyd v Google LLC. The judgment is expected to provide clarification on two key areas:

  • Can a data subject claim and the court award damages purely on the basis of loss of control of data without establishing financial loss or distress? And if so, what is the likely value of such claims?
  • It will also provide direction on whether and how class actions are likely to be dealt with in the UK.

We will update on the position as soon as judgment is handed down.

If you or your business requires any assistance with data protection matters, please get in touch with our commercial team or contact us here.