There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.
In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Distress-based claims are on the rise in Europe. As a reminder, Article 82(1) of the GDPR entitles a person who suffers “material or non-material damage” to seek compensation from the relevant controller or processor. That provision is a game changer, as there will be a whole range of situations in which processing may have no direct monetary ramifications whilst causing potentially significant anxiety or concern to individuals (identity theft and damage to reputation, to name only two).
As a result, courts across Europe have been grappling with when and how distress-based claims should be assessed – and, crucially, the quantum for such claims. We’re closely watching a reference by the Austrian Supreme Court to the ECJ which concerns exactly those questions:
- Is a breach of the GDPR by itself sufficient to award damages?
- Is annoyance or frustration with non-compliance sufficient for an award of non-material damages?
If the ECJ answers those questions in the affirmative, businesses can expect to receive a flurry of what might otherwise be seen as trivial claims based on technical breaches of the GDPR.
In the meantime, the UK High Court on Friday dismissed the claims of breach of confidence, misuse of private information and negligence against DSG, on the basis that (1) breach of confidence and misuse of private information do not impose a data security obligation on the controller, and (2) a state of anxiety produced by a negligent act or omission that falls short of a clinically recognisable psychiatric illness is not sufficient for a tortious cause of action. (The breach of statutory duty claim under the DPA 1998 is pending on DSG’s appeal of the £500,000 penalty issued by the ICO, which will be heard later this year.)
None of this changes the potential application of distress-based claims under the UK GDPR. But in the meantime, businesses in England will be relieved that claims premised on breach of confidence, misuse of private information or negligence – at least in the context of data breaches – are unlikely to succeed.
For these reasons, I accept DSG's submission that the Claimant's claims in BoC and MPI are ill-founded. Those causes of action do not impose a data security duty upon DSG but that is what in reality is being claimed. They have no realistic prospect of success and also fall to be struck out based on the pleaded case.