Warren v DSG Retail Ltd [2021] EWHC 2168

The High Court has handed down judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168.

The judgment is of significance to claims for compensation following data breaches, particularly where breaches are accidental (e.g. following a cyber-attack). The case will also likely have an impact on the recoverability of ATE premiums, allocation and costs recovery. In short, the High Court struck out the Claimant’s claim for breach of confidence, misuse of private information and negligence.

Facts

The case related to a low value dispute (£5,000) brought against Dixons Carphone (“DSG”), a retailer. In 2018 DSG was the victim of a cyber-attack whereby its systems were accessed by an unauthorised third-party. The unauthorised third party infiltrated DSG’s systems and installed malware which ran on 5,930 point of sale terminals at stores. Data relating to around 14 million data subjects was potentially accessed. The Claimant claimed that data relating to him was potentially compromised – his name, address, phone number, date of birth and email address. A claim was brought for breaches of the Data Protection Act 1998, misuse of private information, breach of confidence and negligence.

The application

DSG applied for strike-out/summary judgment of the claim, save for a claim under the Data Protection Act 1998 for breach of the data security duty. In terms of the case under the Data Protection Act 1998, numerous alleged breaches were withdrawn by the Claimant, but the Claimant did not withdraw a claim for breach of the seventh data protection principle DPP7. That issue therefore remained live and was not the subject of the strike-out/summary judgment application.

In short, DSG argued that:

[1] The claims for breach of confidence and misuse of private information require positive wrongful conduct on the part of the Defendant.

[2] There is no duty of care in negligence in respect of conduct covered by the data protection legislation.

The judgment

Mr Justice Sani granted the application, striking-out/dismissing all claims save the claim for breach of statutory duty in relation to DPP7. Relevant sections of the judgment include:

• Paragraph 22:

“In my judgment, neither [breach of confidence nor misuse of private information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of [misuse of private information] on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.”

• Paragraph 27, in respect of misuse of private information:

“I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action.”

• At paragraphs 33 to 36 the judge held that there were “two fatal problems with the negligence claim”. Namely, that “[t]here is neither need nor warrant to impose such a duty of care where the statutory duties under the DPA 1998 operate” and “[a] cause of action in tort for recovery of damages for negligence is not complete unless and until damage has been suffered by the claimant. Some damage, some harm, or some injury must have been caused by the negligence in order to complete the claimant’s cause of action. However, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action.”

In light of the only remaining claim being under the Data Protection Act 1998, Mr Justice Sani transferred the claim to the County Court for directions (paragraph 44).

Conclusion

The decision provides helpful guidance on the viable causes of action that can be included in claims by affected data subjects where there has been a cyber-attack. The case itself will also impact on costs recovery, in light of the more limited scope to bring breach of confidence and misuse of private information claims alongside a claim for a breach of the data protection legislation.

Claimants in these types of disputes commonly obtain After the Event (“ATE”) insurance and seek recovery from the Defendant. Following the Jackson reforms there is limited recoverability for success fees and ATE premia. There is, however, a carve out for “publication and privacy proceedings”. These types of proceedings include misuse of private information and breach of confidence claims, but importantly not data protection claims. Given the ATE insurance can itself be worth more than the damages in issue, these costs are significant in terms of the overall liability exposure for Defendants. The judgment therefore casts doubt on the recoverability of ATE premia from a Defendant where there has been a cyber-attack by an unauthorised third party.

The decision may also have an impact on allocation. These types of claims, which include a claim for breach of confidence/misuse of private information, have often been commenced in the High Court Media and Communications List recently. Given the high volume of these low value claims the list has become increasingly populated with these types of claims. If a claim under breach of confidence/misuse of private information is no longer viable, a Claimant seeking recovery of a low amount of damages for breach of statutory duty under the Data Protection Act 1998/2018 or the General Data Protection Regulation may struggle to avoid allocation to the small claims track (where recovery of costs is not possible).  

While the claim was only worth up to £5,000 it may appear that from a monetary perspective the claim is not significant. However, in practice Defendants increasingly face multiple individual claims or group/class actions.  Prior to this decision that may be driven by a number of factors, particularly the strong chance of a Claimant succeeding for breach of statutory duty (under the Data Protection Act 1998/2018 or the General Data Protection Regulation) but also the possibility of claiming for misuse of private information/breach of confidence and therefore seeking to recover costs appropriate in the High Court and ATE insurance premia from the Defendant.  Taken together, these factors may enable Claimant-specialist law firms to offer a large number of Claimants an opportunity to recover some damages but with very limited (if any) cost risk, which can also create significant leverage for Claimants (and law firms representing them) in settlement negotiations.  If ATE insurance became unavailable, because claims for breach of confidence and misuse of private information are no longer viable, potential claimants will be forced to weigh-up the potential damages available against their risk of costs exposure in the more usual way.

Whether the decision will have an impact on the volume of claims being issued is yet to be seen. Unless reversed on appeal, this decision narrows the basis upon which a claim can be brought and therefore limits funding, likely costs recovery and the availability of ATE premia recoverability. Whether Claimants in the future will seek to plead that the Defendant did take a positive act or acts is not clear – this may however be challenging to prove given the nature of cyber-attacks.

The decision in Warren v DSG Retail Ltd will have an impact on data protection litigation going forward. The next key decision to keep an eye out for will likely be the Supreme Court decision in Lloyd v Google LLC.

Read the full judgment here.

---

Rebecca Keating

Call 2017

Related practice areas

Technology & Telecoms