UK data breach compensation claims influenced by EU court rulings
Thursday 14th March 2024
In a recent High Court judgment, it was decided that for a claim relating to a data breach to give rise to compensation, mere infringement of data protection obligations is not enough. Claimants must be able to demonstrate damage or distress.
What happened?
The judgment in Farley and others v Paymaster (1836) Ltd [2024] EWHC 383 (KB) follows similar recent judgments from the European Court of Justice (CJEU) in that individuals seeking compensation must be able to show what damage they have suffered as a result of an infringement to be in with the chance of claiming compensation. We wrote about a recent CJEU ruling in our Privacy Snapshot here.
In Farley, 400 police officers brought claims against the administrator of their pension schemes for sending letters with private information to out of date addresses. The administrator didn’t update its database. The claimants were seeking non-material damage in the form of ‘anxiety, alarm, distress and embarrassment’ resulting from third parties’ potentially having access to their data, and loss of control of their data.
Misuse of private information
The court struck out most of the claims (but kept alive 14 out of the total 446) on the basis of (1) evidence that some letters were opened and (2) a bare inference that some letters had been opened and read. A near miss can’t be classed as a ‘misuse’ of private information based on an inference that the letters were opened and read. The claimants needed to show a positive action or interference by the defendant.
Data breach claim
Data protection-wise, the High Court clarified that data breach cases hinge on whether personal data had actually been compromised, ‘near misses’ are insufficient. The court referred to the landmark judgment of Lloyd v Google LLC [2022] AC 1217 and the CJEU case of UI v Österreichische Post AG (Case C300/21) (noting the CJEU case was not binding). In this case, the CJEU ruled that without proof of actual damage the right to claim compensation doesn’t arise.
Key takeaways
This ruling may be welcome news to organisations facing these types of claims as it puts the burden on claimants to prove what actual damage they have suffered as a result of an infringement. However, organisations would be well-advised to continue reviewing and updating their data protection policies and procedures because regulatory action (e.g., from the Information Commissioner’s Office) could always follow, as a result of a breach or infringement, as well as claims where claimants do have evidence (such as medical reports) to support their claim of ‘damage’. Not to mention the risk of bad publicity, as well as the time and cost it can sometimes take to deal with such matters.
If you’re facing a claim for misuse of private information or for a breach of data protection law, contact Gordons Privacy and Data Protection team today.