The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

An inferential case will not an entitlement to damages establish …

28 February 2024

In Farley v Paymaster (1836) Ltd [2024] EWHC 383 (KB), a judgment of Nicklin J handed down on 23 February 2024, the Defendant sought a strike out / summary judgment of claims for breach of the General Data Protection Regulation and / or the Data Protection Act 2018 and / or for misuse of private information brought by over 450 current or former police officers employed by Sussex Police (“the Dismissal Application”).  The Defendant was the administrator of the pension scheme to which the Claimants belonged.

In August 2019, the Defendant sent out an annual pension statement (“ABS”) which included private information including name, date of birth, national insurance number and pension details.  While there was an issue as to the extent of private information in each ABS, it was common ground that, for these Claimants, they had been sent to out-of-date addresses.  The Information Commissioner took no action against Sussex Police (the data controller) who were not a party to the proceedings.

On 2 April 2020, the Defendant admitted a data breach and that the Claimants could pursue a claim for “loss, damage and/or distress allowable at law”.  A claim form on behalf of what were then 474 Claimants was filed on 22 April 2021 with a “Master Particulars of Claim” setting out the generic claim made by all Claimants.  Following a Part 18 request, individual schedules were served for each claim.

The Claim for Breach of Data Protection Legislation / Misuse of Private Information

he Claimants’ primary complaint was that sending the ABSs to out-of-date addresses breached data protection legislation as it amounted to unlawful processing which had caused non-material harm.  Further, by sending the ABSs to “unknown third parties” there had been an intrusion into their privacy and/or a misuse of private information.   The Claimants’ reliance on an inferential case that an ABS had been opened and read by a third party was pivotal, given that, as the individual schedules revealed, only 14 Claimants could advance a positive case that the envelope containing the ABS had in fact been opened by such a party.

As to damage, the Claimants alleged that they had suffered “anxiety, alarm, distress and embarrassment” because their private information had or may have passed into the hands of unknown third parties.  On that basis the individual claims were valued at between £1,250 and £1,500, the Claimants’ pre-issue costs standing at £1.2M with an estimated budget to trial of £2.55M.  On 31 August 2022, rather than seek to amend their existing claims, a sub-set of 63 Claimants issued a second claim for personal injury – a step which Nicklin J described as leading to a “procedural thicket”, but which did not substantially increase the value of the individual claims.

Dismissal Application

The Defendant denied that the mere handling of an unopened opaque envelope marked “private and confidential” could constitute misuse under data protection law or misuse of private information given the threshold for seriousness for both causes of action.  There had to be evidence that the ABSs had been opened and read by a third party.  They challenged the Claimants’ maintained argument that an inferential case was sufficient or that the simple act of wrongly addressing an ABS, with the risk of it being viewed by a third party, was actionable.   Finally, the Defendant contrasted the level of compensation sought against the costs of the litigation, arguing that the Court should dismiss the claims as an abuse of process, applying the principles established in Jameel v Dow Jones & Co Inc [2005] QB 946 (i.e. “the game is not worth the candle”).

The Decision

In a careful judgment Nicklin J:

  • Citing TLT v Secretary of State for the Home Department [2018] 4 WLR 101 (a data protection claim) and Warren v DSG Retail Ltd [2021] EMLR 25 (a cyber-attack case), held that a viable claim for misuse of private information and /or data protection required each Claimant to establish that there was a real prospect of demonstrating that the ABS had been opened and read by a third party. The judge illustrated the principle by reference to the cohort of Claimants (at least 100) where the ABS had been unopened.  These claims had no reasonable prospect of success and also fell to be summarily dismissed.
  • Rejected the argument that it was enough to show that private information had been put at risk. The tort of misuse of private information required more than its apprehension – however distressing. Similarly, until the ABS was opened and read by a third party, there had been no unlawful processing.  The concept of a near miss may be relevant to regulatory action under the data protection regime but not a civil claim for damages.
  • As to those claims where the ABS had not been returned unopened, they too stood to be struck out or dismissed. There must be a “solidly based” factual premise to allow a Court to infer that a letter had been published beyond its named recipient. Pleading a bare inference was not enough.  That, in a small number of cases, there was evidence that the ABS had been opened, did not provide a reliable evidential base from which to draw a general inference in other claims.  It supported an inference in the opposite direction and amounted to an impermissible attempt to reverse the burden of proof.

The effect of the judge’s reasoning was that only 14 claims survived the Dismissal Application.  Even then, Nicklin J observed that some of these claims might be dismissed at trial for failure to meet the threshold for seriousness.  While hearing argument on whether such a threshold applies to a data protection claim (as it does for a claim for misuse of private information), the judge concluded that this factual question better determined at trial. He declined to dismiss the 14 claims under the Jameel jurisdiction finding that, now that the Court was no longer confronted with a pseudo-class action, it could deal with these claims in a proportionate manner.  Had liability been admitted then the appropriate step would have been transfer to the County Court and allocation to the small claims track.

Comment

Reports of public or private entities sending correspondence (including emails) to the wrong address are not uncommon. This decision is a useful reminder that it is the claimant who bears the burden of establishing a positive action i.e. that their information has been misused or unlawfully processed.  Where the claim relies simply on inference, the burden becomes more onerous.  Those who face such claims will keep the Jameel argument in mind as well the decision of Nicklin J in Cleary v Marston (Holdings) Ltd [2021] EWHC 3809 (QB) where the judge said that there existed a category of non-defamation media and communications claims, characterised by low value and a lack of complexity, capable of being brought and fairly tried in the County Court.  There, a data protection claim arising from the sending of an email to the wrong person made a swift exit from the High Court to the County Court small claims track.


Authors

Bilal Rawat

Call 1995

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)