Data Breach Claims: UK Court seek evidence of credible harm caused - a welcome trend in the assessment of non-material damages
Reading time: 3 mins
Since the introduction of GDPR and Article 82(1) GDPR which introduced the concept of non-material damages for an infringement of this Regulation, practitioners have struggled to interpret the provision and if any threshold was required to succeed with a ‘data breach claim’. Recital 85 which provides additional information on the article references a number of possibilities (but doesn’t differentiate between material and non material) such as loss of control, limitation of rights, discrimination, identity theft, damage to reputation and loss of confidentiality. The controversial issue remains over what level of evidence is required to demonstrate non material loss and whether an infringement per se is sufficient or if demonstrable loss or harm is required. The uncertainty in this area of law has led to a fluctuation of values for these claims and a lacuna between both ends of the spectrum.
There is limited Irish jurisprudence on these issues but two recent judgements in the UK will be of interest to data controllers faced with a damages claim for minor breaches of data protection legislation. These are the recent judgements of Rolfe and others v Veale Wasbrough Vizards  EWHC (QB) and Lloyd v Google LLC  UKSC 50.
The first case relates to an email that was sent by a law firm to the wrong recipient and a subsequent claim for compensation by the correct recipients. The email in question was a demand for payment of school fees. Due to one letter difference in the email address, it went to the wrong recipient.
A claim was made in the High court for damages under Article 82 of the GDPR and section 169 Data Protection Act 2013 citing misuse of confidential information, breach of confidence, and negligence.
The court accepted that in principle damages can be recovered for breaches of data protection regulations and misuse of private information and referred to the principle of loss of control constituting damage as discussed in the second case of Lloyd v Google below.
However, much of the judgement referred to the trivial nature of the breach and the fact that the distress suffered was not plausible. The court stated that the Claimants could not have suffered damage or distress above a de minimis level. The court must look at the reality of the personal information in question and the circumstances in which it was inadvertently sent to one third party.
The court looked at the nature of the personal data and noted that it did not involve health data or financial details and looked at the circumstances of the breach. The email was encrypted, and the receiving person responded promptly and furthermore confirmed that he deleted the message. The court took the view that the claims that it caused sleepless nights for the claimants were not plausible and must be exaggerated.
The court stated that ‘loss of control’ meant more than one third party briefly having access to what was low-level personal information and then confirming they deleted it. In this respect it differentiated the case from Lloyd v Google where there was a commercial gain to Google. The court stated that it was not appropriate for a party to claim for trivial breaches in a modern world and awarded costs against the Claimants.
The second case is the much-awaited Supreme court judgment in Lloyd v Google LLC  UKSC 50 which was an appeal by Google from a court of appeal judgment that had expanded the concept of damages that could be awarded for breaches of data protection legislation to ‘loss of control’ of personal data, even if no distress or material damage had been caused to the claimant. The Supreme Court overturned the court of appeal decision and stated that the claimant had to prove that he or she suffered material damage i.e., financial loss or mental distress to succeed with a data breach claim.
The case involved allegations against Google that they secretly tracked the internet activity of millions of Apple iPhone users in late 2011, early 2012 and used the data for commercial purposes without the users’ knowledge or consent. The representative claim brought by Mr. Lloyd sought a uniform sum of damages of £750 on behalf of more than 4 million Apple iPhone users for alleged breaches of section 4 of the Data Protection Act (DPA) 1998.
Much of the judgement related to the representative action aspect which was held not permissible due to the requirement to establish the extent of the unlawful processing on each case and show that each person suffered a breach of their rights and damages as a result.
On the damages aspect, the Supreme court held that loss of control damages were not available under the DPA 1998. Section 13 required “proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject”.
While the Google v Lloyd case has limitations in its application due to relating to pre GDPR UK, and particularly where Recital 85 specifically cites loss of control as a potential indicator of loss and damage, both judgements are however indicative of an approach which is equally relevant to the interpretation of Article 82 data breach claims, which is that the courts will require evidence of credible harm caused as a result of infringements of the data protection legislation before non material damages will result. Clearly, we still require clearer guidance and jurisprudence on the interpretation of the concept of non-material loss and the benchmark required to succeed with such a claim. We should have further clarity on these contentious topics later this year as the Court of European Justice is considering these issues following a referral by the Austrian Supreme court. We will keep you updated.