Press enter to search, esc to close
The High Court has handed down judgment in Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) providing welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. The Court granted the Defendant summary judgment and awarded them indemnity costs. This was because there was no credible case that distress or damage over a de minimis threshold would be proved.
Mr and Mrs Rolfe and their daughter, Miss Rolfe, brought a claim against Veale Wasbrough Vizards LLP (VWV) for damages for misuse of private information, breach of confidence, negligence, damages under Article 82 of the GDPR and section 169 Data Protection Act 2018.
Mr and Mrs Rolfe owed school fees to Moon Hall Schools Educational Trust, Miss Rolfe’s school. The school had instructed VWV to write to Mr and Mrs Rolfe with a demand for payment. VWV intended to send the demand letter and copy of a statement of account to Mrs Rolfe via email. However, owing to a typographical error, VWV’s email was sent to an incorrect email address. The incorrect recipient responded promptly identifying that they did not think the email was intended for them to which VWV responded by asking them to delete the message. The incorrect recipient confirmed they had done so.
The private information sent within the email included the names and home address of the Claimants, the amount of school fees owed together with a statement of account for the previous 5 years. No phone numbers, bank details or details of the state of the Claimants’ finances were included in the letter.
The Rolfes claimed that as a result of the breach they had “lost sleep worrying about the possible consequences”, and that the disclosure had made them feel ill.
VWW applied for summary judgment on the basis that the claim had no real prospect of success.
VWV’s application was granted because there was no credible case that distress or damage over a de minimis threshold would be proved and a remedy would not be granted where no harm has credibly been shown.
It was not disputed that damages could be recovered for breaches of data protection regulations and misuse of private information, including for distress absent specific pecuniary loss. However, Master McCloud emphasised that the complainant must have suffered actual damage and that “one cannot succeed in a claim where any possible loss or distress is not made out or is trivial.” Of particular influence in the decision were Sir Geoffrey Vos’s widely quoted words from Lloyd v Google  QB 747 regarding a threshold of seriousness being applied to misuse of private information claims and that damages would not be awarded for “an accidental one-off data breach that was quickly remedied”.
Here, given the “minimally significant” nature of the information disclosed and the circumstances of the breach (including the rapid request that the recipient delete the data, and no evidence of onwards transmission or misuse), the Master did not consider that damage over the de minimis threshold could be proved. She queried what harm had arguably been done to the Claimants and declared the Claimants’ distress allegations as an “inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'”.
She further stated that in the 21st century “no person of ordinary fortitude” could suffer the distress claimed in circumstances where a single data breach was quickly remedied, and that it was not appropriate for similar “trivial” claims to be brought, “especially in the High Court”.
The Claimants were ordered to pay the Defendant’s costs on the indemnity basis, with an interim payment on account of £11,000.
Data controllers will welcome this robust decision from the High Court challenging an opportunistic claim arising out of a one-off data incident. The decision is indicative of the High Court’s recent lack of appetite to encourage data breach claims which do not pass the necessary threshold of seriousness. It can be hoped that an order of indemnity costs against an unsuccessful claimant will help to stem the tide of similar low value data claims being issued in the High Court.
As a final point, it is worth noting that the deadline for the Claimants to appeal the decision is extended until after the much-anticipated Supreme Court judgment in Lloyd v Google.
Contributor: Galiya Martirosova
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions
27 October 2021
Partner, Head of Data privacy & cybersecurity London
Managing Associate Bristol
Insights 28 FEBRUARY 2023