Letters: Showing statement was opened was not integral to claim
The Court of Appeal has overturned a High Court decision that appeared to limit the rights of data breach victims to bring claims.
The solicitor for the claimants in Farley v Paymaster (1836) Ltd said the decision would have “a positive impact not just for our clients, but for data breach claimants across the jurisdiction”.
Lord Justice Warby, giving the unanimous ruling of the court, held there was no “threshold of seriousness” for bringing a data breach claim, nor was an allegation of ‘distress’ an essential ingredient of a tenable claim.
The claimants, current or former police officers of Sussex Police, sued after the defendant, which manages their pension scheme as Equiniti, mistakenly posted their annual pension benefit statements (ABSs) to out-of-date addresses.
The information in each statement varied but broadly contained the officer’s name, date of birth, National Insurance number, and details of their salary and pension.
Each officer was informed of the error and offered the chance to sign up to a fraud protection service paid for by Equiniti.
The Information Commissioner was informed but told Sussex Police – which was not a defendant in the claim – that no further action was needed. The commissioner intervened at the invitation of the Court of Appeal.
Each claimant initially claimed damages of £2,000 for misuse of private information, and between £1,065 and £2,606 for the data protection claim, although in court their counsel estimated that the total value of a typical claim would be in the region of £1,250 to £1,500.
The amended claim now is that the breaches led each appellant to experience “anxiety, alarm, distress and embarrassment” at the prospect or possibility that their personal data may have come into the hands of third parties and been misused or exposed to the risk of misuse – pleaded as “non-material damage”.
Some 42 of the appellants allege that the breaches aggravated a pre-existing medical condition.
Last year, Mr Justice Nicklin allowed just 14 of the 446 claimants to continue their cases as the only ones who could show the ABS was opened by a third party. Even then, he cast doubt on whether they would lead to damages at trial, saying they first had to show the ABS was read.
Warby LJ said the judge was wrong to strike out the claims. “Each of the appellants has pleaded a reasonable basis for alleging that the respondent’s mistake involved infringement of the GDPR [General Data Protection Regulation].
“Proof that the data were disclosed is not an essential ingredient of an allegation of processing or infringement. The appeal on the infringement issue should therefore be allowed.”
As to whether the claimants had stated a basis for making a reasonable claim for compensation under the GDPR and Data Protection Act 2018, Warby LJ went on: “An allegation of ‘distress’ is not, as the respondent has submitted, an essential ingredient of a tenable claim.
“Nor can the claims be dismissed for failing to meet a threshold of seriousness. There is no such threshold in EU data protection law. We are not bound to hold that such a threshold exists in domestic data protection law. Nor is there any other good reason to do so.”
The court said the fact the claimants could not prove their ABS was opened and read “does not of itself show that the fears they entertained were not well-founded”. But they would have to prove a reasonable basis for fearing that it happened and that this would result in identity theft or one or the other consequences which they feared might follow.
The question had to be answered case by case, and this “is not the appropriate court to carry out that exercise”, Warby LJ said. He remitted it to the High Court, “which may conduct the review itself or give directions for it to be carried out in the county court”.
He added that the Jameel jurisdiction did not provide a reason to bypass that process – under this, proceedings can be abusive if they are objectively pointless and wasteful, even though they raise an arguable cause of action.
“These claims as a class cannot be categorised as Jameel abuse although the question of whether any individual case is abusive will remain for consideration,” he said.
Even though the damages claim may in many of the cases be modest, this “cannot of itself be sufficient to justify dismissal of the claim”.
The defendant’s “real driver” here was the scale of the costs, Warby LJ said. Nicklin J said that the claimants’ pre-issue costs were around £1.2m, or just over £2,500 per claimant, with their estimated budget for a trial of lead cases £2.55m, and the defendant’s £2.7m.
The claimants’ solicitor, Kingsley Hayes, partner and head of data and privacy litigation at KP Law, said: “This is a major step forward for data breach victims. The Court of Appeal has confirmed that organisations cannot avoid responsibility simply because claimants cannot prove their data was read by a third party.
“The judgment makes clear that unlawful processing alone is enough to found a claim, and that people are entitled to compensation where their fears of misuse are supported on solid grounds.
“Importantly, the court has also rejected the idea that lower-value cases are trivial or abusive, confirming that all claims deserve to be heard and managed proportionately.
“This decision will have a positive impact not just for our clients, but for data breach claimants across the jurisdiction.”
Leave a Comment