About Us
Locations
Client login
News
Contact
About Us
Locations
Client login
News
Contact

The High Court has handed down judgment in Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) providing welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. The Court granted the Defendant summary judgment and awarded them indemnity costs. This was because there was no credible case that distress or damage over a de minimis threshold would be proved.

Background

Mr and Mrs Rolfe and their daughter, Miss Rolfe, brought a claim against Veale Wasbrough Vizards LLP (VWV) for damages for misuse of private information, breach of confidence, negligence, damages under Article 82 of the GDPR and section 169 Data Protection Act 2018.

Mr and Mrs Rolfe owed school fees to Moon Hall Schools Educational Trust, Miss Rolfe’s school. The school had instructed VWV to write to Mr and Mrs Rolfe with a demand for payment. VWV intended to send the demand letter and copy of a statement of account to Mrs Rolfe via email. However, owing to a typographical error, VWV’s email was sent to an incorrect email address. The incorrect recipient responded promptly identifying that they did not think the email was intended for them to which VWV responded by asking them to delete the message. The incorrect recipient confirmed they had done so.

The private information sent within the email included the names and home address of the Claimants, the amount of school fees owed together with a statement of account for the previous 5 years. No phone numbers, bank details or details of the state of the Claimants’ finances were included in the letter.

The Rolfes claimed that as a result of the breach they had “lost sleep worrying about the possible consequences”, and that the disclosure had made them feel ill.

VWW applied for summary judgment on the basis that the claim had no real prospect of success.

Decision

VWV’s application was granted because there was no credible case that distress or damage over a de minimis threshold would be proved and a remedy would not be granted where no harm has credibly been shown.

It was not disputed that damages could be recovered for breaches of data protection regulations and misuse of private information, including for distress absent specific pecuniary loss. However, Master McCloud emphasised that the complainant must have suffered actual damage and that “one cannot succeed in a claim where any possible loss or distress is not made out or is trivial. Of particular influence in the decision were Sir Geoffrey Vos’s widely quoted words from Lloyd v Google [2020] QB 747 regarding a threshold of seriousness being applied to misuse of private information claims and that damages would not be awarded for “an accidental one-off data breach that was quickly remedied”.

Here, given the “minimally significant” nature of the information disclosed and the circumstances of the breach (including the rapid request that the recipient delete the data, and no evidence of onwards transmission or misuse), the Master did not consider that damage over the de minimis threshold could be proved.  She queried what harm had arguably been done to the Claimants and declared the Claimants’ distress allegations as an “inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'”.

She further stated that in the 21st century “no person of ordinary fortitude” could suffer the distress claimed in circumstances where a single data breach was quickly remedied, and that it was not appropriate for similar “trivial” claims to be brought, “especially in the High Court”.

The Claimants were ordered to pay the Defendant’s costs on the indemnity basis, with an interim payment on account of £11,000.

Commentary

Data controllers will welcome this robust decision from the High Court challenging an opportunistic claim arising out of a one-off data incident. The decision is indicative of the High Court’s recent lack of appetite to encourage data breach claims which do not pass the necessary threshold of seriousness. It can be hoped that an order of indemnity costs against an unsuccessful claimant will help to stem the tide of similar low value data claims being issued in the High Court.

As a final point, it is worth noting that the deadline for the Claimants to appeal the decision is extended until after the much-anticipated Supreme Court judgment in Lloyd v Google.

Contributor: Galiya Martirosova

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions

Written by

Harriet Loucks

Harriet Loucks

Date published

27 October 2021

Contacts

Click for more detail Gareth Oldale

Gareth Oldale

Partner, Head of Data privacy & cybersecurity London

+44 (0)333 006 1595 Email me
Click for more detail Sam McCollum

Sam McCollum

Partner Bristol

+44 (0)333 006 0397 Email me
Click for more detail Harriet Loucks

Harriet Loucks

Managing Associate Bristol

+44 (0)333 006 1865 Email me

RELATED INSIGHTS AND EVENTS

View all

Insights 17 APRIL 2023

Clarification on "condoning fraud": impact on insurance cover

Read
Photo of court
Read

Insights 28 FEBRUARY 2023

Buy-Now-Pay-Later: key points from the consultation on draft legislation

Read
Read

Insights 15 FEBRUARY 2023

When can lenders sue solicitors on the other side of a property transaction?

Read
Read

Insights 13 FEBRUARY 2023

Suspicious Activity Reports - what have we learnt from updated guidance?

Read
TLT brand graphic
Read

Insights 27 JANUARY 2023

Success for hire purchase lenders in vehicle rejection case

Read
Read

Insights 21 OCTOBER 2022

Damages in data breach claims: High Court awards £250 damages for very modest distress

Read
Read

RELATED SERVICES